All compliance evidence

GDPR

Article 30

Records of processing activities

What the regulation requires

Article 30 requires controllers and processors to maintain detailed records of processing activities. Records must include the purposes of processing, categories of data subjects and personal data, categories of recipients, transfers to third countries, time limits for erasure, and a description of technical and organizational security measures.

How RADAR maps to it

Processing activity detection

RADAR identifies data processing events as they occur across your agent infrastructure. Every LLM call, tool invocation, and data access is catalogued with the data categories involved, purpose context, and operator identity.

PII pattern coverage

40 patterns across 6 categories — personal identifiers (SSN, name, address), financial data (credit cards, IBAN, SWIFT/BIC), health information, digital identity (API keys, tokens), communication metadata, and location data.

Retention and erasure

Configurable retention policies per evidence type. Cryptographic deletion attestations — every purge generates a signed record proving what was deleted, when, by whom, and under what policy.

Security measures documentation

Fernet field-level encryption on all stored evidence. HMAC-SHA256 signing on webhook payloads. JWT-signed license with offline verification. No data leaves your infrastructure.

What the evidence looks like

PROCESSING RECORD · GDPR ART. 30
Record#0023 — pii_scan · customer-export
Timestamp2026-06-09 14:22:09 UTC
PII Found12 patterns · 4 categories
ActionRedacted · Policy: gdpr-strict
Retention90 days · Auto-purge: 2026-09-07
EncryptionFernet field-level · Key rotation: 30d

Auditor note

Processing records exportable as structured evidence pack. Every entry traceable to source event.

This is a production-verified capability — not a hypothetical. Every control mapping above corresponds to a feature shipped in RADAR v1.0. See the documentation.