| Requirement | AGCMS feature | Article |
|---|---|---|
| Records of processing | Audit log + Article 30 report endpoint | Art. 30 |
| Right to erasure | Two-admin-approval purge → tombstoned audit rows | Art. 17 |
| Data minimisation | PII redaction at gateway before forwarding to LLM | Art. 5(1)(c) |
| Security of processing | TLS 1.3, encryption at rest, signed audit chain | Art. 32 |
| Privacy by design | Default-deny policy posture + tenant-isolated RLS | Art. 25 |
Compliance
GDPR
EU personal-data handling.
The GDPR policy pack covers Articles 5, 17, 25, 30, and 32.
The pack ships an Article 30 report builder that produces a CSV / JSON of
all processing activities for a date range, downloadable from
Reports → GDPR Art. 30.