Data Protection Impact Assessment (DPIA)
AiEGIS AI Agent Security Platform — GDPR Compliance Assessment
1. Data Processed
| Category | Data Elements | Sensitivity |
|---|
| Agent Registration | Agent name, type, owner email, API key hash, creation date | LOW |
| Action Logs | Timestamps, action type, target resource, outcome | LOW |
| Compliance Scans | Risk level, EU AI Act article mapping, scan timestamp | LOW |
| Behavioural Baselines | Aggregated metrics (request frequency, error rates) | LOW |
NOT processed: End-user PII, model training data, inference inputs/outputs (unless customer explicitly configures audit logging).
2. Data Storage
- Location: All data stored on customer infrastructure (self-hosted Docker deployment)
- No cloud dependencies: No data transmitted to AiEGIS servers or third parties
- Database: SQLite (MVP) / PostgreSQL (production) — customer choice
- Encryption: At rest via OS-level encryption; TLS 1.2+ in transit
- Data sovereignty: Customer retains full control — data never leaves their infrastructure
3. Retention Policy
- Action logs: Configurable retention (default: 90 days)
- Agent registry: Indefinite (until customer deletes)
- Audit trail: Immutable for compliance purposes (configurable retention period)
- Customer controls: Full deletion capability via API and admin dashboard
4. GDPR Legal Basis
- Article 6(1)(f): Legitimate interest — security monitoring and regulatory compliance
- Data Processing Agreement (DPA): Template available for enterprise deployments
- No special category data: No biometric, health, political, or other Art. 9 data processed
- No profiling: No automated decision-making about natural persons
5. Data Minimisation
- Only metadata required for governance is collected and stored
- Built-in PII detection layer (Layer 10) actively prevents unnecessary personal data collection
- Customer configures logging verbosity and scope
- Agent inputs/outputs are NOT stored by default — only metadata (timestamps, risk scores, compliance status)
6. Risk Assessment
| Risk Factor | Assessment | Mitigation |
|---|
| Data breach | LOW | Self-hosted; no external data transmission |
| Unauthorised access | LOW | JWT + API key + RBAC authentication |
| Data loss | LOW | Customer-managed backups; immutable audit logs |
| Cross-border transfer | LOW | No data leaves customer infrastructure |
| Purpose limitation | LOW | Data used solely for AI governance and compliance |
7. DPIA Conclusion
Overall DPIA threshold: LOW RISK
AiEGIS processes only AI agent operational metadata on customer-controlled infrastructure. No special category data, no profiling of natural persons, no cross-border data transfers. The self-hosted deployment model ensures full data sovereignty and GDPR compliance by design.