GDPR Compliance¶
The haagsman.ai Product Suite provides built-in GDPR compliance controls for organizations processing personal data of EU residents.
GDPR Rights Supported¶
| Right | Article | Implementation |
|---|---|---|
| Right of access | Art. 15 | /api/v1/admin/gdpr/export/{user_id} — export all data for a user |
| Right to erasure | Art. 17 | /api/v1/admin/gdpr/delete/{user_id} — delete all data for a user |
| Right to data portability | Art. 20 | Export endpoint returns machine-readable JSON |
| Records of processing | Art. 30 | Immutable audit log records all processing activities |
| Data protection by design | Art. 25 | Encryption at rest, RBAC, minimal data collection |
| Breach notification | Art. 33 | Audit logs enable 72-hour notification compliance |
Data Processing¶
What data is processed¶
| Product | Data types | Retention |
|---|---|---|
| Document Search | Uploaded documents, search queries | Configurable (default 365 days) |
| FAQ Chatbot | Knowledge base content, chat messages | Session: in-memory. Knowledge: configurable |
| Email Triage | Email sender, subject, body | Not stored after processing (stateless) |
| CRM Follow-ups | Contact names, emails, deal context | Not stored after processing (stateless) |
| Meeting Actions | Meeting transcripts | Not stored after processing (stateless) |
| Invoice Processor | Invoice PDFs, extracted financial data | Not stored after processing (stateless) |
| Social Media | Brand profiles, generated content | Not stored after processing (stateless) |
| Scheduling | Incoming messages, contact info | Not stored after processing (stateless) |
Data minimization¶
- Stateless products (Email Triage, CRM Follow-ups, etc.) process data in memory and do not persist it
- Document Search and FAQ Chatbot store indexed content but support configurable retention
- Audit logs record actions but not full request/response bodies
Data Retention¶
Auto-purge is enforced based on HAAGSMAN_DATA_RETENTION_DAYS:
The retention enforcer runs daily and removes:
- Indexed documents past retention date
- Audit log entries past retention date
- Stored files past retention date
Data Subject Requests¶
Export user data (Art. 15)¶
Returns all data associated with the user in JSON format, including audit trail entries.
Delete user data (Art. 17)¶
curl -X DELETE http://localhost:8100/api/v1/admin/gdpr/delete/user-123 \
-H "X-API-Key: hai_admin_key"
Permanently deletes all data for the user and logs the deletion event.
Data Processing Agreement (DPA)¶
Enterprise clients requiring a DPA can request one at niels@haagsman.ai. The DPA covers:
- Scope and purpose of processing
- Sub-processor list (LLM providers)
- Technical and organizational measures
- Data breach notification procedures
- Data return and deletion upon termination
Air-Gapped Deployment (Maximum Privacy)¶
For maximum data protection, deploy with Ollama:
In this configuration:
- No data is transmitted to any cloud service
- All AI processing happens on your infrastructure
- No sub-processors to declare in your DPA
- Full data sovereignty