GDPR

Personal data that stays lawful, secure and under your control

The GDPR demands lawful, transparent and accountable processing of personal data. Scrydon gives you residency, encryption, key control and audit by design — so privacy is enforced by the architecture your data already runs on.

Book a DemoCommon Questions
What it is

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (Regulation (EU) 2016/679) governs how personal data of people in the EU/EEA is processed. It is built on principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. It grants individuals rights — including access, rectification, erasure, restriction, portability and objection — requires appropriate technical and organisational security measures, restricts international transfers, and can impose fines of up to 4% of global annual turnover.

At a glance
Jurisdiction
European Union / EEA
Applies to
Any organisation that processes the personal data of people in the EU/EEA, whether established in the Union or offering goods, services or monitoring from outside it.
Talk to us
How we help

How Scrydon helps you comply

Controls are built into the runtime, so compliance is something you can demonstrate with evidence drawn from the platform itself — not assembled after the fact.

Data residency and sovereignty

You choose where data lives and is processed, with self-hosted and sovereign deployment options. This makes data residency and international-transfer controls a deployment decision rather than a hope, helping you keep personal data within your chosen jurisdiction and lawful basis.

Encryption and key strategy

Secrets and data are protected with LOCAL, BYOK and HYOK key strategies, so you can hold your own keys (BYOK) or keep them entirely in your own custody (HYOK). Combined with an mTLS service mesh, this delivers the integrity and confidentiality measures the GDPR's security principle requires.

DLP and data minimisation

The DLP guardrails engine detects and can redact personal data in model inputs and outputs, supporting data minimisation and preventing inadvertent disclosure of personal data through AI features. Document clearance and classification keep sensitive records away from contexts where they should not appear.

Audit log and accountability

An immutable, queryable audit log records who accessed what, when and from where, with redaction and retention controls. This evidences the accountability principle and helps you respond to data-subject requests, demonstrate lawful access and investigate incidents.

Access control and data-subject rights

Three-tier access control — organisation roles, workspace membership and team grants — enforces least privilege over personal data. Granular, auditable access makes it practical to honour rights of access, rectification and erasure and to limit processing to those who genuinely need it.

Key requirements

What GDPR asks of you

  • Establish a valid lawful basis for every processing activity.
  • Apply data protection by design and by default.
  • Practise purpose limitation, data minimisation and storage limitation.
  • Implement appropriate technical and organisational security measures.
  • Enable data-subject rights such as access, rectification and erasure.
  • Control international transfers and keep records of processing activities.
  • Detect, document and, where required, report personal-data breaches.
FAQ

Frequently asked questions

How does Scrydon help with GDPR compliance?+
Scrydon implements privacy by design: you control data residency and key custody (BYOK/HYOK), DLP guardrails minimise and redact personal data, three-tier access control enforces least privilege, and an immutable audit log evidences accountability. Together these address the GDPR's security, minimisation and accountability obligations. Scrydon gives you the technical and organisational measures and the records to evidence them; defining lawful bases, notices and your overall compliance posture remains your responsibility as controller.
Where is personal data stored and processed?+
Wherever you choose. Scrydon is a European-native, sovereign platform with self-hosted and in-region deployment options, so personal data can remain within the EU/EEA or another jurisdiction you select. This gives you direct control over data residency and helps you manage the GDPR's restrictions on international transfers.
Can we hold our own encryption keys?+
Yes. Secrets management supports LOCAL, BYOK (bring your own key) and HYOK (hold your own key) strategies. With BYOK or HYOK you retain control of the keys that protect personal data, strengthening the confidentiality and integrity measures the GDPR's security principle requires and reducing reliance on any external operator.
How does the platform support data-subject rights?+
Granular three-tier access control and the queryable audit log let you locate, restrict and account for personal data across workspaces, which supports rights of access, rectification, erasure and restriction. Because access is logged and policy-governed, you can demonstrate exactly who could see a given record — useful both for fulfilling requests and for breach investigation.
Does using AI features risk leaking personal data?+
The DLP guardrails engine scans inputs and outputs for personal data and can redact or block it, external AI vendors are opt-in, and document clearance controls what any model can see. This means AI and analytics features can be used over regulated data without that data leaving your control or appearing where it should not.

Related

Privacy NoticeSovereign InfrastructureSovereign IdentityConfidential ComputeAll compliance frameworks
Back to all compliance frameworks