Maps to ISO 27701 and the GDPR
- Records of processing activities (GDPR art. 30)
- Data location overview per data category
- Retention periods defined and technically enforced
- Six-month post-termination retention at organisation level; permanent deletion thereafter, confirmed in writing
- Data deletion procedure with confirmation to the customer
- Data subject request procedure (GDPR art. 15-22)
- Breach notification procedure (within 56 hours to the customer)
- DPIA template and completed DPIAs for high-risk processing
- Privacy by design and privacy by default in product development
- Data minimisation and pseudonymisation where possible
- International transfer mechanisms documented (SCCs for Mode B)
- Sub-processor management with 30-day customer notification
- Controller and Processor role split per use case