EU GDPR — Operayde as data processor
Our posture on GDPR: Operayde operates as a limited-scope processor for metadata only, while personal data in prompts and responses never leaves the customer's controller estate.
Effective: 25 May 2018
Our role under Article 4
For the metadata the central plane processes — appliance health, audit-chain commitment hashes, billing counters, operator logins — Operayde is a processor under Article 4(8), acting on the customer's instructions under our Data Processing Addendum.
For the content that traverses the appliance (prompts, documents, responses, RAG context), Operayde is not a processor at all. That data never reaches our systems. The customer is the controller and the processor of their own content.
This distinction matters: the DPA terms for content data (retention, sub-processor notification, transfer impact assessment) simply don't apply because there's no processing relationship to govern.
Article 5 — principles
Lawfulness and transparency. The appliance exposes a /v1/privacy
endpoint that returns a human-readable inventory of every personal-
data field it holds, on request. The operator portal surfaces the
same inventory per-tenant.
Purpose limitation. Prompts and responses are used for the customer's business purpose only; they are not used for model fine-tuning, telemetry, or any Operayde-side improvement loop. This is enforced at the appliance boundary — no training-data pipeline exists on the appliance.
Data minimisation. The central plane holds only metadata needed to operate the fleet. Our schema for every table that holds personal data is published in our DPA annex; the annex is version-controlled.
Storage limitation. Operators set retention on the signed audit chain; default is 90 days. The appliance performs the deletion locally at retention boundary.
Integrity and confidentiality. Disk encryption, Secure Boot, mTLS workload-to-workload, operator MFA with step-up on destructive actions. Full security whitepaper under NDA on request.
Transfer impact assessments
When Operayde's central plane is hosted in the EU (our default for EEA customers), no third-country transfer occurs for metadata. For customers with operational teams outside the EEA who access the operator portal, the DPA lists the specific transfer mechanisms (Standard Contractual Clauses with a Supplementary Measures annex) and the receiving entities.
Subject access requests
The appliance exposes /v1/subjects/{id}/export (authenticated,
tenant-scoped) that returns every prompt, response, and audit line
attributed to a data subject by correlation-id. SARs are served
from the appliance, not the central plane — meaning the SAR response
is as close to real-time as the appliance's local index allows,
typically single-digit seconds.