GDPR Deep Dive

The General Data Protection Regulation (GDPR) applies to any organization processing EU citizens' personal data. AgentAIShield helps you meet all requirements.

Data Processing Agreements (DPAs)

Under GDPR Article 28, any vendor processing personal data on your behalf must sign a DPA. AgentAIShield provides:

• Pre-approved template: Legally reviewed by EU privacy counsel
• Standard Contractual Clauses (SCCs): For cross-border data transfers
• Digital signature: Execute via DocuSign/HelloSign in minutes
• Auto-renewal: DPA validity tracked, alerts before expiration

Right to Access (Article 15)

Individuals can request copies of their personal data. AAIS automates this:

1. User submits access request (via portal or email)
2. Identity verification (email token or SSO)
3. AAIS compiles all data: logs, PII detections, metadata
4. Exports to machine-readable format (JSON, CSV)
5. Delivers via encrypted download link (expires in 30 days)
6. Logs access request for audit trail

Right to Deletion (Article 17)

"Right to be forgotten" — irreversibly delete all user data:

• Purges logs, request history, PII detections
• Cascades to backups and archived data
• Retains only anonymized aggregates (allowed under GDPR)
• Confirmation email with deletion certificate
• 30-day retention for legal holds (configurable)

Consent Management

Track opt-in/opt-out per processing purpose:

• Purpose categories: Analytics, marketing, personalization, security monitoring
• Granular consent: Users can opt in to some, opt out of others
• Consent versioning: Track when ToS/Privacy Policy changes, re-request consent
• Withdrawal: One-click consent withdrawal, immediately stops processing

PII Redaction Workflows

Automatically redact PII from logs:

• Real-time redaction: PII never hits disk in plain text
• Delayed redaction: Keep plain text for 30 days (troubleshooting), then auto-redact
• Partial redaction: "j***@example.com" preserves utility for support
• Tokenization: Replace PII with reversible tokens (de-redact with admin auth)

Data Portability (Article 20)

Users can export data in structured, machine-readable format:

• JSON with OpenAPI schema documentation
• CSV for spreadsheet import
• XML for legacy systems

SOC 2 Readiness

SOC 2 Type II audits verify that you have effective controls for security, availability, confidentiality, processing integrity, and privacy.

Control Mapping

AAIS pre-maps features to SOC 2 Trust Service Criteria:

CC6.1 - Logical and Physical Access Controls

• Evidence: SSO/SAML configs, MFA enforcement logs, RBAC permission matrix
• AAIS provides: Access control screenshots, user role audit logs

CC6.6 - Encryption

• Evidence: TLS certificates, data-at-rest encryption configs
• AAIS provides: Certificate chain, AES-256 encryption evidence, key rotation logs

CC6.7 - Transmission Integrity

• Evidence: API request signing, HMAC validation, checksum verification
• AAIS provides: Request signature examples, validation logs

CC7.2 - System Monitoring

• Evidence: Security event logs, anomaly detection alerts, uptime monitoring
• AAIS provides: Behavioral fingerprinting reports, incident response logs

CC7.3 - Incident Response

• Evidence: Documented incident playbooks, response time metrics
• AAIS provides: Injection detection alerts, escalation workflows, resolution logs

Audit Preparation Checklist

90 days before audit:

1. Review control descriptions: Ensure AAIS configs match documented policies
2. Test access controls: Verify RBAC, SSO, MFA are enforced
3. Collect evidence: Export logs, configs, screenshots
4. Identify gaps: Run AAIS compliance checker, remediate findings
5. Document exceptions: Explain any deviations from standards
6. Train team: Ensure admins can explain controls to auditors

Evidence Collection Automation

Instead of manually gathering screenshots during audit:

• Continuous evidence capture: AAIS auto-screenshots key pages monthly
• Timestamped configs: Every setting change is versioned and logged
• Sample log extraction: Automatically pull representative samples for each control
• Change audit trail: Show auditors that controls were active for entire audit period

Common SOC 2 Audit Findings (and how AAIS prevents them)

• Finding: "Insufficient access logging"
  Prevention: AAIS logs every login, config change, data access with immutable timestamps
• Finding: "No MFA for privileged users"
  Prevention: SSO inherits IdP MFA, audit logs prove enforcement
• Finding: "Encryption not verified"
  Prevention: TLS 1.3 certificate chain evidence, AES-256 encryption screenshots
• Finding: "Anomaly detection not tested"
  Prevention: Behavioral fingerprinting reports show active alerts, resolution workflows

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare data. AAIS meets all technical safeguards.

Business Associate Agreement (BAA)

Required for any vendor handling Protected Health Information (PHI):

• AgentAIShield's BAA template is HIPAA-compliant (reviewed by healthcare legal counsel)
• Available to Enterprise customers upon request
• Signing process: DocuSign, 1-2 business days turnaround
• Includes breach notification requirements (notify within 60 days)

PHI Detection & Handling

AAIS automatically detects 18 HIPAA identifiers:

• Names
• Dates (birth, admission, discharge, death)
• Phone/fax numbers
• Email addresses
• SSN
• Medical record numbers
• Health plan numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers
• Device identifiers
• URLs
• IP addresses
• Biometric identifiers
• Photos
• Geographic data (smaller than state)

Encryption Requirements

HIPAA Security Rule requires encryption (addressable safeguard):

• In transit: TLS 1.3 (TLS 1.2 minimum) — AAIS enforces
• At rest: AES-256 for database, S3 SSE-KMS for object storage
• Key management: AWS KMS, Google Cloud KMS, or customer-managed HSM
• Key rotation: Automatic annual rotation, audit trail

Access Logs (Audit Controls)

HIPAA requires tracking who accessed PHI:

• User ID, timestamp, action (view/edit/delete)
• IP address, device info
• Data accessed (patient ID, record type)
• Logs retained 6 years minimum
• Tamper-proof (append-only, cryptographic hashing)

Breach Notification Workflow

If PHI is exposed (>500 individuals = breach):

1. AAIS alerts security team within 1 hour of detection
2. Incident response team investigates scope
3. If confirmed breach: notify affected individuals within 60 days
4. Notify HHS (via web portal) within 60 days
5. If media-worthy (>500 individuals), notify prominent media outlets
6. Document incident in breach log

Audit Log Management

Immutable, tamper-proof logs for compliance and forensics.

Immutable Log Storage

Audit logs use append-only storage with cryptographic verification:

• Merkle tree: Each log entry hashed into tree, root hash published
• Blockchain-style chaining: Each entry includes hash of previous entry
• Timestamping service: RFC 3161 trusted timestamps prove log age
• Write-once storage: S3 Object Lock, Azure Immutable Blob, GCS retention policy

SIEM Integration

Forward logs to Security Information and Event Management systems:

• Splunk: HTTP Event Collector (HEC)
• Datadog: Logs API
• Elasticsearch/ELK: Logstash forwarder
• Azure Sentinel: Log Analytics workspace
• AWS Security Hub: CloudWatch → EventBridge → Security Hub
• Google Chronicle: Chronicle API ingestion

Retention Policies

Configure retention per log type and compliance requirement:

• Security events: 7 years (SOC 2, ISO 27001)
• HIPAA access logs: 6 years (HIPAA requirement)
• GDPR audit trail: 3 years (recommended)
• Financial records: 7 years (Sarbanes-Oxley)
• Employee access: Duration of employment + 2 years

Log Search & Forensics

Powerful search for incident investigation:

• Full-text search: Elasticsearch-powered, <100ms queries
• Time-range filters: Search specific incident windows
• Correlation: Link related events by session ID, user ID, IP
• Export: CSV, JSON, or SIEM-compatible format

Data Residency & Sovereignty

Control where data is stored and processed to meet local regulations.

Region Selection

Choose data residency region during org setup:

• US (us-east-1): Virginia, default for North America
• EU (eu-west-1): Ireland, GDPR-compliant, data never leaves EU
• EU (eu-central-1): Frankfurt, German data protection laws
• UK (eu-west-2): London, post-Brexit sovereignty
• Canada (ca-central-1): Montreal, PIPEDA compliance
• Australia (ap-southeast-2): Sydney, Privacy Act compliance
• Singapore (ap-southeast-1): PDPA compliance
• Japan (ap-northeast-1): Tokyo, APPI compliance

Cross-Border Data Flow

For multi-national organizations:

• Separate workspaces: EU workspace (eu-west-1) + US workspace (us-east-1)
• No data sharing: Workspaces are isolated, no cross-region queries
• Unified billing: Single invoice for all workspaces
• Optional aggregation: Export data from both, analyze locally

Data Sovereignty Requirements

Examples of country-specific regulations:

• Russia (Federal Law 242-FZ): Personal data of Russian citizens must be stored in Russia
• China (Cybersecurity Law): Critical data must stay in China, government access required
• India (RBI mandate): Payment data must be stored in India
• Switzerland (FADP): Healthcare data often requires Swiss residency

Building Compliance Reports

Automated report generation for auditors, regulators, and stakeholders.

PDF Report Generation

Create professional, branded compliance reports:

• Executive summary (trust score trends, incident summary)
• Control evidence (screenshots, config exports)
• Sample logs (representative security events)
• Attestations (signed statements from security team)
• Appendices (raw data, technical details)

CSV Export for Analysis

Export raw data for custom analysis:

• Request logs (timestamp, agent, PII detected, blocked)
• Security events (injection attempts, anomalies)
• User activity (logins, config changes)
• Trust score history (per-agent, per-day)

Auditor Workflows

Share evidence securely with external auditors:

1. Generate compliance report (PDF or ZIP with logs)
2. Upload to AAIS secure share (or your own S3 bucket)
3. Create time-limited share link (expires in 7-30 days)
4. Optional: require auditor email verification
5. Track downloads in audit trail (who accessed when)

Scheduled Reports

Automate recurring compliance reports:

• Weekly security digest: Send to CISO every Monday
• Monthly SOC 2 snapshot: Auto-generate evidence for continuous monitoring
• Quarterly board report: Executive summary with trust score trends
• Annual compliance package: Full evidence export for year-end audit