GDPR
Article 30
Records of processing activities
What the regulation requires
Article 30 requires controllers and processors to maintain detailed records of processing activities. Records must include the purposes of processing, categories of data subjects and personal data, categories of recipients, transfers to third countries, time limits for erasure, and a description of technical and organizational security measures.
How RADAR maps to it
Processing activity detection
RADAR identifies data processing events as they occur across your agent infrastructure. Every LLM call, tool invocation, and data access is catalogued with the data categories involved, purpose context, and operator identity.
PII pattern coverage
40 patterns across 6 categories — personal identifiers (SSN, name, address), financial data (credit cards, IBAN, SWIFT/BIC), health information, digital identity (API keys, tokens), communication metadata, and location data.
Retention and erasure
Configurable retention policies per evidence type. Cryptographic deletion attestations — every purge generates a signed record proving what was deleted, when, by whom, and under what policy.
Security measures documentation
Fernet field-level encryption on all stored evidence. HMAC-SHA256 signing on webhook payloads. JWT-signed license with offline verification. No data leaves your infrastructure.
What the evidence looks like
Auditor note
Processing records exportable as structured evidence pack. Every entry traceable to source event.
This is a production-verified capability — not a hypothetical. Every control mapping above corresponds to a feature shipped in RADAR v1.0. See the documentation.