GDPR software · EU-resident hosting

GDPR done right.
Not as bolt-on paperwork.

Modular GDPR compliance software with structured RoPA, AI-assisted DPIA, data subject rights workflows, 72-hour breach notification, and DPO support — all in your environment, with your AI keys, hosted in the EU.

Book a Demo Free GDPR Assessment
How it works

Built for the GDPR obligation surface

From Article 5 principles to Article 49 transfers — every chapter has the bricks it needs and none it doesn't.

Records of Processing (Art. 30)

Structured RoPA with controllers, processors, lawful bases, retention periods, transfer mechanisms, security measures. Updates trigger DPIA review where Article 35 thresholds are met. Auditor-ready export.

DPIA workflow (Art. 35)

Systematic-description template, necessity and proportionality analysis, risks-to-data-subjects assessment, mitigation tracking. AI-assisted scoring. Article 36 supervisory-authority consultation flagged when residual risk remains high.

Data subject rights (Art. 12–22)

Workflow for the eight rights — access, rectification, erasure, restriction, portability, objection, automated decisions, transparency. SLA-tracked response times (1 month, extendable to 3 with rationale). Audit-ready evidence per request.

Breach notification (Art. 33–34)

72-hour clock from awareness, supervisory authority notification template, data-subject-notification trigger if Article 34 thresholds are met. Cross-border lead-supervisory-authority routing. Status queryable from the dashboard.

Security of processing (Art. 32) + transfers (Art. 44–49)

Article 32 controls integrate with your ISO 27001 brick if you have one — pseudonymisation, encryption, integrity, confidentiality. Article 44–49 transfer mechanisms tracked: SCCs, BCRs, adequacy decisions, derogations. Schrems II transfer impact assessments captured.

EU-resident hosting + BYO AI keys

Hosted in the EU (Frankfurt) by default. Your AI evidence runs against your OpenAI / Anthropic / Azure OpenAI / local model — your provider, your billing, your audit trail. Per-tenant isolation by default. Signed DPA available.

Background

Why GDPR keeps mattering

The General Data Protection Regulation (Regulation (EU) 2016/679) became applicable on 25 May 2018. Eight years later it is still the operative privacy regime across the EEA, replicated in substance by the UK GDPR, and used as the template for many other privacy laws around the world. The regulation is structured around principles (Art. 5), lawful bases (Art. 6), the special-category data regime (Art. 9), data subject rights (Art. 12–22), accountability (Art. 24–43), and remedies / fines / supervision (Art. 77–84).

Three things make GDPR persistently load-bearing for B2B SaaS:

  • Procurement gating. Enterprise buyers in the EU and UK refuse to sign without a DPA, RoPA evidence on request, breach-notification commitments, and Schrems II transfer impact assessments where data leaves the EEA. Without these, the deal stalls.
  • Substantial fines. Up to 4% of global annual turnover or €20m, whichever is higher, for serious violations. The supervisory authorities have used the upper end of that range repeatedly since 2021.
  • EU AI Act dovetailing. The new EU AI Act explicitly defers to GDPR for personal-data aspects of high-risk AI systems. If you use AI, you need GDPR posture before the AI Act posture.

BrickGRC's GDPR brick is structured around the regulation's chapters rather than treating GDPR as a checklist. The RoPA is the live spine; DPIAs and DSARs hang off the RoPA; breach notifications integrate with the security incident workflow; transfer assessments document Schrems II analysis per recipient. EU-resident hosting and BYO AI keys mean your buyers' data residency requirements are met by infrastructure, not just by claim.

If you're EU-targeting and pursuing ISO 27001 / SOC 2 in parallel, evidence collected for those frameworks rolls into Article 32 (security of processing) automatically. If you're also in scope for the EU AI Act, the data-governance article (Art. 10) of the AI Act draws on GDPR's data minimisation and accuracy principles directly.

FAQ

GDPR with BrickGRC — common questions

Does BrickGRC cover the full GDPR obligation surface?

Yes. The GDPR brick covers the principles (Art. 5), lawful basis (Art. 6), special-category data (Art. 9), data subject rights (Art. 12–22), data governance and accountability (Art. 24, 25, 28, 30, 35, 37–39), breach notification (Art. 33–34), security of processing (Art. 32), and international transfers (Art. 44–49).

Does BrickGRC handle Records of Processing (RoPA)?

Yes. Article 30 RoPA is a structured artifact — register processing activities, controllers/processors, lawful bases, retention periods, transfer mechanisms, and security measures. Updates trigger DPIA review where Article 35 thresholds are met.

Can I run a DPIA in the platform?

Yes. The DPIA template walks through systematic description, necessity and proportionality, risks to data subjects, and mitigation. AI-assisted scoring; supervisory authority consultation flagged for high-residual-risk processing.

Does the platform handle breach notification timing?

Yes. The breach workflow tracks the 72-hour notification clock from awareness, generates the supervisory authority notification template, and triggers data-subject notification if Article 34 thresholds are met.

Is BrickGRC itself GDPR-compliant as a processor?

Yes. EU-resident hosting (Frankfurt), per-tenant isolation, signed DPA available, DSAR procedures in place. Subprocessors and international transfers documented in the Privacy Policy.

What about UK GDPR / Swiss DPA?

UK GDPR runs as a parallel framework with the same Article structure (divergences are minor at this writing). Swiss FADP and other adequacy regimes can be addressed via custom-template bricks layered on top of the EU GDPR brick.

Start your GDPR programme today.

Pick the GDPR brick, build the RoPA, and let the AI Coach handle the evidence. EU-resident hosting and BYO AI keys included by default.

Book a Demo Start Free Trial