Data Residency & GDPR

The split is simple. We host customer trace data in Frankfurt. You decide which decisions to send. Adjudon is the Data Processor under GDPR Article 28; your organization is the Data Controller. Every other clause on this page falls out of that one role-statement — including the one documented exception we owe you in plain language before procurement asks.

Scope

This page covers the residency and GDPR posture for Adjudon's production SaaS at api.adjudon.com. It applies to every customer plan (Sandbox → Custom), every region, and every data category we receive: trace payloads, review-queue evidence, audit-chain entries, organization metadata, and billing records. Out of scope: customer-managed deployments (none exist — Adjudon does not white-label, does not run on customer-cloud, does not offer on-premise).

Roles

Role	Party	GDPR basis
Data Controller	Your organization	GDPR Art. 4(7)
Data Processor	Adjudon	GDPR Art. 28
Sub-processors	The vendors listed below	GDPR Art. 28(2)–(4)

A Data Processing Agreement (DPA) covering the eight mandatory Article 28(3) clauses is required before production use. The DPA template is available on request — contact [email protected].

Article-by-article mapping

Regulation	Article	Requirement	What Adjudon ships	What you do
GDPR	Art. 5	Lawfulness, fairness, transparency	EU-resident pipeline; no model-training reuse	Lawful basis (Art. 6) for the controller
GDPR	Art. 6	Lawful basis	—	Choose the basis (consent, contract, legal obligation, legitimate interest)
GDPR	Art. 9	Special-category data	PII scrubber removes generic patterns	Pseudonymise health data customer-side (medtech doc)
GDPR	Art. 17	Right to erasure	Payload nullification, chain shell preserved	Forward the data-subject request
GDPR	Art. 28	Processor obligations	DPA covering 28(3)(a)–(h)	Execute the DPA before production
GDPR	Art. 28(3)(d)	Sub-processor flagging	Sub-processor list below; advance notice per DPA	Object per DPA window
GDPR	Art. 32	Security of processing	AES-256 at rest, TLS 1.2+ in transit, SHA-256 chain	Configure access controls dashboard-side
GDPR	Art. 33	Breach notification (72 h)	Multi-Clock Hub clock for GDPR Art. 33	File the supervisory-authority notification
GDPR	Art. 83	Administrative fines (€20M / 4%)	Records of processing on demand	Operate within the lawful basis
GDPR	Chapter V	Third-country transfers	SCCs for the OpenAI exception	Document the transfer in your ROPA
DORA	Art. 30	ICT TPSP register, geographic location	Frankfurt eu-central-1 published and stable	File the ICT register entry

The Multi-Clock Incident Hub runs the Art. 33 clock in parallel with four others (EU AI Act Art. 73, DORA Art. 19, NIS2 Art. 23, CRA Art. 11) off the same incident — see Multi-Clock Incidents.

Sub-processors

Sub-processor	Region	Purpose	Transfer mechanism
MongoDB Atlas	Frankfurt (eu-central-1), Germany	Primary database	EU-internal
Fly.io	Frankfurt, Germany	API server	EU-internal
Cloudflare Pages	EU edge	Landing site, dashboard, docs	EU-internal
Stripe	Ireland	Billing, metered usage	EU-internal
Resend	EU	Transactional email	EU-internal
OpenAI	USA	Embedding generation (third Confidence Engine pillar)	GDPR Chapter V SCCs

We document the OpenAI line in plain language so procurement does not arrive expecting a fully air-gapped EU stack that does not exist. The embedding call sends only the trace's inputContext + triggeringCondition text (already PII-scrubbed) to the text-embedding-3-small model; OpenAI returns a 1,536-dimensional vector that is stored on the DecisionTrace in MongoDB Atlas Frankfurt. No customer trace payload is retained at OpenAI for training. The feature is opt-in — if your organization requires strict EU-only processing, contact [email protected] to disable it before first use.

Sub-processor changes are notified in advance per Article 28(3)(d) on the timeline defined in the DPA — contact [email protected] for the current text.

Evidence

The procurement-grade evidence path for any GDPR or DORA inspection is the chain export:

curl

curl https://api.adjudon.com/api/v1/hash-chain/export \
  -H "Authorization: Bearer $ADJUDON_API_KEY"

Python

import requests, os
r = requests.get(
    "https://api.adjudon.com/api/v1/hash-chain/export",
    headers={"Authorization": f"Bearer {os.environ['ADJUDON_API_KEY']}"}
)
bundle = r.json()

The response is a self-contained JSON document the auditor replays offline against the published algorithm at Audit Log & Security. No Adjudon login, no Adjudon endpoint, no Adjudon network is required for the verification step. The chain is valid evidence even if Adjudon disappears between the export and the audit. See Hash Chain API for the full endpoint surface and Sub-Processors for the signed sub-processor list.

Retention

Plan	Default	Configurable range
Sandbox	90 days	Not configurable
Scale	90 days	7 – 365 days
Governance	90 days	7 – 365 days
Enterprise / Custom	90 days	7 – 3,650 days (10 years)

The schema cap is 3,650 days, enforced at the Mongoose layer with the validation message "Retention cannot exceed 10 years." For organizations under BaFin or comparable financial regulation we recommend 1,825 days (five years). For MDR Article 10(8) implantable devices the 15-year obligation is closed customer-side via periodic export and archival; see Medtech Compliance.

Right to erasure (GDPR Art. 17)

When a data-subject erasure request arrives, the trace's PII fields (inputContext, outputDecision, metadata, rationale) are nullified on the DecisionTrace document. The trace shell — traceId, agentId, timestamp, status, confidenceScore, and the chain back-reference — is preserved.

The Decision Hash Chain itself is not modified. The original payloadDigest was computed before erasure and is therefore stable. The chain still verifies end-to-end after the nullification (Cardinal Rule 5: no chain entry is ever modified or deleted). The result: the personal data is gone, the regulator can still read which decision happened, and the GDPR Art. 17 erasure right and the audit-trail integrity requirement both survive.

Encryption

Layer	Mechanism	Notes
At rest	AES-256	MongoDB Atlas-managed encryption; keys rotated on the AWS schedule
In transit	TLS 1.2+	HTTPS enforced at the Fly.io edge; plain HTTP is rejected before any handler runs
Tamper-evidence	SHA-256	Per-org Decision Hash Chain + Operations Audit Log; replay-verifiable offline
PII pre-storage	Regex scrubber	Email, IBAN, credit-card, SSN, phone — before hash, before persistence

The chain is tamper-evident, not tamper-proof: it detects modification loudly via the next entry's prevHash mismatch; it does not prevent the write attempt. Tampering is loud, not impossible.

Honest disclosures

• OpenAI is the one documented sub-processor outside the EU; the embedding call uses Chapter V SCCs and is opt-in per organization.
• We do not white-label. We do not run on customer-cloud. We do not offer on-premise. The SaaS deployment is the only deployment.
• The 15-year MDR retention obligation for implantable devices exceeds our 10-year schema cap; the gap is closed customer-side via periodic export, documented at Medtech Compliance.
• We do not pursue ISO 27001 or SOC 2 today; pen-testing status is documented at Penetration Testing.

What this page does NOT cover

• DORA Article 30 exit plan — covered at DORA Compliance.
• MDR Class IIa/IIb pseudonymisation boundary — covered at Medtech Compliance.
• EU AI Act Article 13/14/27/73 article mapping — covered at EU AI Act Compliance.
• Architecture-level data-flow diagram — covered at Architecture Overview.

See also

• Architecture Overview — the full stack and the HTTPS boundary
• Audit Log & Security — the chain formula and the four-step verify algorithm
• Multi-Clock Incidents — the five-regulator concurrent countdown model
• Sub-Processors — the signed sub-processor list with geography per row
• Hash Chain API — the endpoint surface for export and verify