Article 25 — by design + by default
Every architectural decision is taken with privacy as the default. Tier-3 multi-tenant isolation; per-tenant Postgres role with RLS; per-tenant KMS scope; default 30-day retention on raw prompts. You don't have to opt in to good practice.
Articles 13/14 — transparency
Every data category, every lawful basis, every sub-processor, every transfer mechanism — published at /privacy and /legal/subprocessors. Updated whenever anything changes, with 30 days' notice.
Article 15 — right of access
Use the DSR form. We deliver a structured ZIP containing every record we hold about you, every audit-log entry, and every R2 object — within 30 days, usually within 72 hours.
Article 16 — rectification
Built into every account screen. For data you can't directly edit, the DSR form has a rectification option.
Article 17 — erasure
One endpoint nullifies your PII, deletes your tenant's R2 objects, and emits a cryptographic erasure proof signed by our DPA. SLA: 30 days. Cryptographic proof is a SHA-256 receipt of (your tenant ID, deletion timestamp, processor signature).
Article 18 — restriction
Pause processing while a dispute is resolved. The DSR form has a restriction option that flips an account flag — your data sits frozen, no agent runs against it, until the dispute is closed.
Article 20 — portability
Export as a structured, signed ZIP. Postgres rows + R2 objects + audit-ledger entries. Cryptographic integrity hash so the receiving processor can verify nothing was tampered with in transit.
Article 21 — objection
Object to processing for direct marketing or legitimate-interest grounds. The DSR form has an object option; we honour it within 7 days, with the audit log showing the action.
Article 22 — automated decisions
CharmEngine's governed agents make recommendations, not unsupervised decisions with legal effect. Every premium agent action requires explicit operator approval. Where automation runs autonomously (within the cost ceiling you pre-approved), the audit log records the exact decision and you can roll back within 90 seconds.
Articles 33-34 — breach notification
72-hour timer from confirmed awareness. Automated detection on Neon audit log, R2 access patterns, Cloudflare WAF anomalies, Stripe fraud alerts. Affected data subjects notified directly per Article 34 with what was exposed and what we did about it.
Schrems II — transfers
EU-tagged tenants stay in Frankfurt. US sub-processors operate under SCCs Module 2 + per-vendor Transfer Impact Assessments published at /legal/tia. Practical mitigation via E2E encryption + pseudonymisation where applicable.
Documentation
Records of Processing Activities (RoPA), DPIAs for high-risk processing, and our LIA (Legitimate Interests Assessment) are available to controllers on request — email dpo@charmengine.uk.