GDPR, RGPD, and Your Data: How Zeuslock Stays Compliant

What this document is for

This page is written for the audience that signs off on Zeuslock before it is deployed across an organization: the Data Protection Officer, the security and compliance team, and outside legal review. It describes, in concrete and verifiable terms, how Zeuslock handles personal data under the EU General Data Protection Regulation (GDPR) and equivalent national regimes. Where helpful, we name the specific articles. Where claims are operational, we name the UI path that lets you verify them.

Data flow: where analysis happens, what leaves the device

The single most important fact about Zeuslock for a privacy review is that detection runs client-side. When an employee writes a prompt in ChatGPT, Claude, Gemini, Copilot or any other supported AI tool, the analysis happens in the browser extension or desktop agent, on the local machine. The original prompt text is never transmitted to Zeuslock as part of normal operation.

Only when a detector fires — that is, when sensitive data is actually identified inside the prompt — is an anonymized event sent to Zeuslock servers. That event describes the incident; it does not contain the original sensitive content. Source data does not leave the device.

This architectural choice is deliberate. It means Zeuslock is not a content interception platform in the GDPR sense for the bulk of employee activity: there is nothing to intercept centrally, because the inspection is local. The central platform only ever sees redacted summaries of incidents.

What is stored centrally, and what is not

The matrix below describes, by data category, what is and is not held on Zeuslock infrastructure for a given incident.

The redacted prompt preview is the only field that derives from prompt content. Sensitive substrings are replaced on the device, by the same anonymizer that protects the prompt itself, before the preview is constructed.

Lawful basis and roles

Under GDPR, processing of personal data needs a lawful basis. For the deployment of Zeuslock inside a customer organization, that basis is legitimate interest under Article 6(1)(f): the employer has a legitimate interest in detecting and preventing the exfiltration of confidential and personal data to third-party AI services, and the processing is limited to what is necessary for that purpose.

Roles are also unambiguous. The customer organization is the data controller for usage events generated by its employees. Zeuslock is the data processor, acting on documented instructions from the controller. A standard Data Processing Agreement (DPA), based on the Standard Contractual Clauses where applicable, is available on request and is signed before production rollout for any customer that requires one.

Sub-processors

Zeuslock uses the minimum number of sub-processors required to operate the service. The list below is exhaustive for the processing of personal data.

There are no US-only sub-processors in the personal-data path. Updates to this list are notified to customer DPOs at least 30 days before they take effect, in line with the standard DPA.

Data residency

By default, customer data resides in AWS Paris (eu-west-3), with cold backups replicated to AWS Frankfurt (eu-central-1) for disaster recovery. Both are EU regions under EU jurisdiction.

The Sovereign Edition pins a customer's tenant to a single chosen region with no replication outside. For organizations whose policy or regulator requires that data never leaves a defined network perimeter — typical for parts of the public sector, defense, and certain financial institutions under DORA scope — Zeuslock also offers an on-premise deployment in which the control plane runs entirely within the customer's infrastructure.

Retention

Default retention is 13 months for incidents. This is a deliberate choice: long enough to cover annual audit cycles and trailing investigations, short enough to be defensible under data minimization. The value is configurable per tenant from a minimum of 30 days to a maximum of 7 years where a regulatory regime explicitly requires it.

Administrative audit logs are retained for 7 years, in line with common evidentiary obligations. Retention periods are documented in the DPA appendix that ships with every contract.

Data subject rights

Because the controller is the customer organization, data subject requests are handled by the customer's admin team, with Zeuslock providing the tooling. Every right listed in GDPR Articles 15 to 22 is operationally supported.

• Right of access (Art. 15). A customer admin exports an individual's complete incident history from Operator Console → Users → [user] → Export. The export is a structured CSV plus JSON bundle, suitable for direct delivery to the data subject.
• Right to erasure (Art. 17). From the same screen, an admin can issue a hard-delete for an individual. The deletion propagates across primary storage and backups within 24 hours, and is itself logged in the audit trail.
• Right to rectification (Art. 16). Identifying metadata such as group and role is editable in real time, typically via the SCIM sync from the identity provider; manual override is available in the same UI.
• Right to restrict and to object (Art. 18, 21). Specific users can be excluded from monitoring at the policy level without removing their account.
• Right to data portability (Art. 20). The export described above is in machine-readable formats and can be re-imported into another system.

Encryption

All data in transit is protected with TLS 1.3, with HSTS enabled on every customer-facing domain and certificate pinning in the desktop agent. At rest, data is encrypted with AES-256, using AWS KMS for key management. The Sovereign Edition supports customer-managed keys (BYOK) through your own AWS KMS, so the customer controls revocation.

Audit trail and accountability

Every administrative action — viewing an incident, editing a policy, exporting a user's history, deleting data — is recorded in an immutable audit log with the actor, timestamp, target and result. This log is itself accessible from the Operator Console and exportable for inclusion in customer audits.

DPIA support

For deployments that trigger a Data Protection Impact Assessment under GDPR Article 35, Zeuslock provides a downloadable DPIA template populated with the data flows, sub-processors, retention values and risk mitigations described on this page. It is intended as a starting point that your DPO completes and adapts, not as a substitute for the assessment itself.

Breach notification

Zeuslock commits contractually to notify the customer within 24 hours of confirming a personal data breach affecting their tenant. The notice includes the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed. This sits well inside the 72-hour window the customer then has to notify their own supervisory authority under Article 33.