[AIEGIS](/) / DPIA



# Data Protection Impact Assessment


AiEGIS AI Agent Security Platform — GDPR Compliance Assessment



## 1. Data Processed


Category Data Elements Sensitivity

Agent Registration Agent name, type, owner email, API key hash, creation date LOW
Action Logs Timestamps, action type, target resource, outcome LOW
Compliance Scans Risk level, EU AI Act article mapping, scan timestamp LOW
Behavioural Baselines Aggregated metrics (request frequency, error rates) LOW



NOT processed: End-user PII, model training data, inference inputs/outputs (unless customer explicitly configures audit logging).



## 2. Data Storage


- Location: All data stored on customer infrastructure (self-hosted Docker deployment)

- No cloud dependencies: No data transmitted to AiEGIS servers or third parties

- Database: SQLite (MVP) / PostgreSQL (production) — customer choice

- Encryption: At rest via OS-level encryption; TLS 1.2+ in transit

- Data sovereignty: Customer retains full control — data never leaves their infrastructure





## 3. Retention Policy


- Action logs: Configurable retention (default: 90 days)

- Agent registry: Indefinite (until customer deletes)

- Audit trail: Immutable for compliance purposes (configurable retention period)

- Customer controls: Full deletion capability via API and admin dashboard





## 4. GDPR Legal Basis


- Article 6(1)(f): Legitimate interest — security monitoring and regulatory compliance

- Data Processing Agreement (DPA): Template available for enterprise deployments

- No special category data: No biometric, health, political, or other Art. 9 data processed

- No profiling: No automated decision-making about natural persons





## 5. Data Minimisation


- Only metadata required for governance is collected and stored

- Built-in PII detection layer (Layer 10) actively prevents unnecessary personal data collection

- Customer configures logging verbosity and scope

- Agent inputs/outputs are NOT stored by default — only metadata (timestamps, risk scores, compliance status)





## 6. Risk Assessment


Risk Factor Assessment Mitigation

Data breach LOW Self-hosted; no external data transmission
Unauthorised access LOW JWT + API key + RBAC authentication
Data loss LOW Customer-managed backups; immutable audit logs
Cross-border transfer LOW No data leaves customer infrastructure
Purpose limitation LOW Data used solely for AI governance and compliance





## 7. DPIA Conclusion


**Overall DPIA threshold: LOW RISK **


AiEGIS processes only AI agent operational metadata on customer-controlled infrastructure. No special category data, no profiling of natural persons, no cross-border data transfers. The self-hosted deployment model ensures full data sovereignty and GDPR compliance by design.


DPIA prepared in accordance with GDPR Article 35 and DPC guidance — Last updated: April 2026