GDPR

Fenrir helps you produce audit-ready evidence for nine GDPR articles relevant to security of processing. This page lists the controls Fenrir checks automatically, and what you still need to do.

We're not lawyers

This page describes how Fenrir's compliance scheduler maps to GDPR articles. It's a tool to help your DPO, not a replacement for one. Get an actual lawyer or DPO to validate your implementation.

How the audit runs

The compliance scheduler runs once a day at compliance_schedule_hour (default 06:00 UTC). It executes a series of checks (one per control), evaluates each as pass / partial / fail, and writes a report to the compliance_reports table.

You can also trigger it on demand via the dashboard (POST /api/compliance/run) or the Telegram bot (/compliance).

The output is a JSON report and a self-contained HTML page (also exportable as PDF). The HTML is what you hand to an auditor.

The 9 controls Fenrir checks

Control	What Fenrir does
Art. 5(1)(e) Storage limitation	Verifies retention policy is configured and old events are auto-purged
Art. 5(1)(f) Integrity & confidentiality	Checks SSH hardening, disk encryption, TLS, firewall
Art. 25 Data protection by design	Inspects whether security defaults are in place from install
Art. 30 Records of processing	Maintains the events table as the canonical processing log
Art. 32 Security of processing	Encryption in transit, confidentiality controls, resilience, testing
Art. 33 Breach notification 72h	Tracks open breaches with deadline + escalation
Art. 34 Communication to data subjects	Verifies process & template existence (manual evidence)
Art. 35 DPIA	Verifies DPIA document exists and is current (manual evidence)
Art. 37 DPO appointment	Verifies DPO contact info is configured

Each control returns:

{
  "id": "GDPR-5.1.f",
  "status": "partial",
  "evidence": {
    "ssh_password_auth_disabled": true,
    "disk_encryption": false,
    "ssl_configured_sites": 5,
    "firewall_active": true,
    "checks_passed": 3,
    "checks_total": 4
  },
  "details": "Security controls: 3/4 passed (SSH, encryption, SSL, firewall)"
}

The evidence blob is what an auditor reads to understand why a status is pass or fail.

Article 33 in detail (the painful one)

GDPR Art. 33 says: when you have a personal data breach, you must notify the supervisory authority within 72 hours of becoming aware. Article 34 says: notify affected data subjects "without undue delay" if the breach is high-risk to their rights.

Fenrir helps you survive this by:

1. Auto-creating breach records for events that meet "personal data breach" criteria (severity ≥ HIGH involving authentication, exfiltration, unauthorized access).
2. Tracking the 72-hour deadline with escalation reminders (default at 30 min, 2 h, 6 h, 24 h before deadline).
3. Logging containment actions — what you did to stop the bleeding.
4. Recording DPO acknowledgment — proof that your DPO was made aware.
5. Surfacing all of the above on the compliance dashboard, with status open / notified / closed.

What Fenrir does not do:

• Send the actual notification to the supervisory authority (you do this — usually via your country's online portal: Garante in Italy, CNIL in France, BfDI in Germany, etc.).
• Write the notification email to data subjects (templates are your DPO's job; Fenrir provides scaffolding in data/breach_templates/ once you create it).
• Decide whether a given event is a personal data breach — that's a judgment call. Fenrir creates a draft record; your DPO reviews and either notifies or closes as false positive.

Configuration

# .env
BREACH_NOTIFICATION_ENABLED=true
BREACH_NOTIFICATION_EMAIL=[email protected]
BREACH_ESCALATION_MINUTES=30,120,360,1440

When a breach record is created, the configured email gets an HTML notification with the deadline and a link to the dashboard for review.

What you still need to do (manually)

Fenrir is a tool. You still need:

• A real DPO (or someone formally designated, even part-time).
• A DPIA for your processing activities (Fenrir provides a template scaffolding but the content is yours).
• A breach communication template for data subjects (Italian/English/whatever you operate in).
• A records of processing at the organizational level (Art. 30) — Fenrir captures the security event log, but you still need the high-level register of which categories of personal data you process, on what legal basis, etc.
• Vendor due diligence for Fenrir itself, OpenRouter, Anthropic, etc. — sign DPAs, document Article 28 sub-processor relationships.

What an audit looks like

The auditor asks: "Show me how you handle breach notifications."

You open the Fenrir dashboard → Compliance tab → click "Generate report (PDF)". You hand them:

• The list of breach records over the audit period
• For each: timestamp opened, deadline, current status, containment actions log, DPO acknowledgment timestamp
• Daily compliance audit history showing the breach-tracker check has been pass (or honestly: partial or fail with what the gap is)

If the auditor wants to dig deeper, the dashboard exposes the underlying investigation_reports and events rows — full traceability from log line to verdict to action.

That's the value: traceability + automation + honesty. Not "Fenrir solves GDPR" — it doesn't. But it gives the DPO a 10x headstart on collecting evidence that would otherwise be a manual nightmare.