GDPR Compliance
Built-in support for GDPR data subject rights and sub-processor notification automation.
Overview
GaaS provides comprehensive support for GDPR compliance, including automated workflows for data subject rights requests (DSARs), consent management, and sub-processor change notifications. All features are accessible via API and the conversational dashboard.
Supported GDPR Articles:
- Article 17 — Right to Erasure ("right to be forgotten")
- Article 20 — Right to Data Portability
- Article 22 — Right to Explanation (automated decision-making)
- Article 28 — Sub-processor Notification (processor-to-controller obligations)
Article 17: Right to Erasure
Data subjects have the right to request deletion of their personal data. GaaS provides a two-step process: preview what will be deleted, then confirm to execute the erasure.
Step 1: Preview Erasure
See exactly what data will be deleted before committing:
GET https://api.gaas.is/v1/org/{org_id}/data/erasure-preview
X-API-Key: your_api_keyResponse includes counts of records to be deleted:
{
"preview": {
"audit_records": 1247,
"decisions": 1189,
"escalations": 58,
"onboarding_records": 3,
"api_keys": 2,
"webhooks": 4,
"drip_subscriptions": 1,
"waitlist_entries": 0,
"consent_records": 5
},
"warning": "This action is irreversible. All data will be permanently deleted."
}Step 2: Confirm Erasure
Execute the deletion (requires admin role):
DELETE https://api.gaas.is/v1/org/{org_id}/data/erase
X-API-Key: your_api_key
{
"confirmation": "PERMANENTLY_DELETE_ALL_DATA"
}Response confirms deletion:
{
"status": "erased",
"deleted_counts": {
"audit_records": 1247,
"decisions": 1189,
"escalations": 58,
...
},
"erased_at": "2026-02-13T10:45:00Z"
}Article 20: Right to Data Portability
Data subjects can request a machine-readable export of all their data. GaaS returns a comprehensive JSON export of all organization data.
Full Data Export
GET https://api.gaas.is/v1/org/{org_id}/data/export
X-API-Key: your_api_keyResponse includes all data in structured JSON format:
{
"org_id": "org_abc123",
"export_timestamp": "2026-02-13T10:50:00Z",
"data": {
"audit_records": [ ... ],
"decisions": [ ... ],
"escalations": [ ... ],
"onboarding_records": [ ... ],
"api_keys": [ ... ],
"webhooks": [ ... ],
"drip_subscriptions": [ ... ],
"consent_records": [ ... ]
}
}Selective Export
Export only specific data categories using query parameters:
GET https://api.gaas.is/v1/org/{org_id}/data/export?include=decisions,escalations,audit_records
X-API-Key: your_api_keyAvailable categories: audit_records, decisions, escalations, onboarding, api_keys, webhooks, drip, consent
Article 22: Right to Explanation
When GaaS makes an automated decision (block, modify, or escalate an agent action), data subjects have the right to understand why. GaaS provides human-readable explanations derived from the full governance pipeline.
Get Decision Explanation
GET https://api.gaas.is/v1/org/{org_id}/decisions/{decision_id}/explanation
X-API-Key: your_api_keyResponse includes plain-English reasoning:
{
"decision_id": "dec_abc123",
"verdict": "block",
"explanation": {
"summary": "Action blocked due to critical policy violation: attempted access to regulated patient data without verified consent.",
"reasoning_chain": [
"Intent validated: Agent 'healthcare_bot' requested ACCESS to PERSON record.",
"Context enrichment: Target identified as patient with HIPAA-protected data.",
"Policy evaluation: Critical compliance policy (HIPAA consent gate) returned FAIL.",
"Deliberation bypassed due to critical policy fast-fail.",
"Final verdict: BLOCK"
],
"policies_triggered": [
{
"policy_id": "consent_verification",
"name": "HIPAA Consent Verification",
"verdict": "fail",
"reasoning": "No consent record found for patient ID p_12345 and purpose 'billing_inquiry'."
}
],
"risk_score": 0.92,
"risk_level": "critical"
}
}Consent Management
GaaS tracks user consent for five processing purposes:
| Purpose | Description |
|---|---|
governance |
Intent evaluation and decision-making (required for service) |
analytics |
Aggregate usage analytics and dashboard metrics |
learning |
Policy calibration and continuous improvement |
communications |
Escalation notifications and product updates |
third_party_sharing |
Data sharing with sub-processors (e.g., Anthropic for LLM deliberation) |
View Consent Records
GET https://api.gaas.is/v1/org/{org_id}/consent
X-API-Key: your_api_keyGrant Consent
POST https://api.gaas.is/v1/org/{org_id}/consent
X-API-Key: your_api_key
{
"purpose": "learning",
"granted": true
}Revoke Consent
DELETE https://api.gaas.is/v1/org/{org_id}/consent/{consent_id}
X-API-Key: your_api_keygovernance is required to use GaaS. Revoking it effectively terminates service. All other consents are optional and can be toggled independently.
Article 28: Sub-processor Notification Automation
Under GDPR Article 28, processors (GaaS) must notify controllers (you) at least 30 days in advance before engaging a new sub-processor or changing an existing one. GaaS automates this entire workflow.
How It Works
Admin Creates Sub-processor Change
GaaS administrators create a change record when a new sub-processor is added or an existing one is modified:
POST https://api.gaas.is/v1/subprocessor/changes
X-API-Key: admin_api_key
{
"name": "Acme AI Services",
"purpose": "LLM-based deliberation for governance decisions",
"location": "United States",
"change_type": "addition",
"effective_date": "2026-04-15"
}Automated 30-Day Notice
GaaS automatically sends email notifications to all organizations 30 days before the effective_date. The email includes:
- Sub-processor name, purpose, and data location
- Change type (addition, modification, removal)
- Effective date
- Objection link (14-day window to object)
14-Day Objection Window
Organizations can object to the change by clicking the objection link in the email or visiting:
GET https://api.gaas.is/v1/subprocessor/object?token={secure_token}This displays an HTML objection form (no authentication required—secured by token). Submitting the form records the objection and triggers a CRM event for manual follow-up.
Change Goes Live
If no objections are received within 14 days, or objections are resolved, the change becomes effective on the effective_date. Organizations are notified of the final status.
View Notification History
GET https://api.gaas.is/v1/subprocessor/notifications
X-API-Key: your_api_keyResponse includes all notifications sent to your organization:
{
"notifications": [
{
"notification_id": "spn_abc123",
"change_id": "spc_xyz789",
"subprocessor_name": "Acme AI Services",
"sent_at": "2026-03-15T00:00:00Z",
"objection_deadline": "2026-03-29T23:59:59Z",
"objected": false,
"status": "pending"
}
]
}Best Practices
- Preview before erasing: Always use the
/erasure-previewendpoint before executing a deletion. - Archive exports: Store data export JSON files securely for compliance records (7-year retention recommended).
- Automate DSAR workflows: Integrate GaaS GDPR endpoints into your internal DSAR ticketing system (Jira, Zendesk) for seamless processing.
- Monitor objection deadlines: Set up alerts for sub-processor objection windows to ensure timely response.
- Document consent changes: Maintain an audit trail of all consent grants/revocations (GaaS does this automatically).
- Test erasure in staging: Verify erasure workflows in a test environment before executing in production.
Compliance Certifications
GaaS is designed to support your GDPR compliance efforts:
- SOC 2 Type II audit in progress (Q2 2026)
- ISO 27001 certification planned (Q3 2026)
- Data Processing Agreement available on request (contact: legal@gaas.is)
- Sub-processor registry maintained in compliance docs (available to enterprise customers)
Related Pages
- API Reference — Complete endpoint documentation
- Authentication — API key setup and multi-tenancy
- Webhooks — Real-time event notifications