EU General Data Protection Regulation

GDPR-compliant security monitoring infrastructure

Your security tools process event logs, user activity, and potentially personal data. We ensure the infrastructure running Wazuh, CrowdSec, and your SIEM is fully GDPR-compliant — so your security posture doesn't create a compliance liability.

Request a DPA View compliance overview

What is the GDPR?

The General Data Protection Regulation applies to any organization processing personal data of people in the European Union — regardless of where the organization is based. Security operations centers and SIEM platforms regularly process personal data: IP addresses, usernames, access logs, email addresses from alerts. All of it falls under GDPR.

In force since

25 May 2018

Scope

Any org processing EU personal data

Max fine

€20M or 4% of global turnover

Breach reporting

72 hours

Key GDPR obligations — how we address them

GDPR has 99 articles. These are the six that matter most for security operations — and how our managed infrastructure addresses each one.

Art. 5 — Principles of processing

Security logs must be collected only for defined purposes, retained no longer than necessary, and processed securely. Our managed stack enforces configurable log retention windows and role-based access to dashboards.

Art. 6 — Lawful basis

Processing security event data falls under legitimate interest (Art. 6(1)(f)) — you have a genuine need to monitor for threats. We can help document this in your Record of Processing Activities (RoPA).

Art. 17 — Right to erasure

If a data subject requests erasure of their personal data from your security logs, you need a process to handle it. Our managed Wazuh deployments support configurable log retention policies and purge workflows.

Art. 28 — Data Processor

We act as your data processor for any personal data in your security logs. Our DPA is available on request and covers all sub-processors — Hetzner for hosting, no others with access to your data.

Art. 32 — Security of processing

Art. 32 requires appropriate technical measures to ensure data security. The security tools you're deploying are also what makes your organization Art. 32-compliant. Wazuh, CrowdSec, and GVM directly address this requirement.

Art. 33 — Breach notification

If we detect a security incident affecting your managed infrastructure, we notify you within 72 hours so you can meet your reporting obligation to your supervisory authority.

Art. 32 — your security tools are your GDPR compliance evidence

GDPR Article 32 requires 'appropriate technical and organizational measures' to ensure a level of security appropriate to the risk. Your managed security stack is the documentation that you've implemented those measures.

Wazuh provides the audit trail and compliance dashboards auditors need to verify Art. 32 implementation
GVM/OpenVAS delivers the regular vulnerability assessments required to demonstrate ongoing due diligence under GDPR
Wazuh documents every incident with a full timeline — exactly what Art. 33/34 breach notifications require