Kommit is not "GDPR certified" — there is no such certification. What we do is operate the platform in a way that fits inside your GDPR controller-processor model and gives you the levers GDPR requires you to be able to pull on.
Kommit's role under GDPR
For customer data Kommit holds about your end users:
- —You are the data controller. You decided what to collect and why.
- —Kommit is a data processor. We process the data on your instructions, under a Data Processing Addendum (DPA) we'll sign as part of contracting.
For data about your Kommit users (employees who log in to the dashboard), Kommit is the controller for the minimum we need to operate the platform (email, role, sign-in audit) and a processor for everything else you upload.
The GDPR articles we hit, and how
| Article | What it requires | What Kommit provides |
|---|---|---|
| Art. 5 — data minimisation | Process only what you need. | Granular control over what Kommit ingests per agent surface; no auto-collection of unrelated systems. |
| Art. 15 — right of access | Produce a copy of personal data on request. | Per-user export from the dashboard or the API. |
| Art. 17 — right to erasure | Delete personal data on request. | Per-object delete in the dashboard. See [#data-deletion-and-retention] for the audit-log nuance. |
| Art. 25 — privacy by design | Default-private settings. | Tenancy is bound at the connection layer, not per-query. See [#how-does-kommit-isolate-my-orgs-data]. |
| Art. 28 — processor obligations | Sign a DPA. | We sign a DPA. Ours is based on the EU SCCs (2021 module 2). |
| Art. 30 — records of processing | Maintain a register. | Audit log export covers this for processor-side activities. See [#exporting-audit-logs]. |
| Art. 32 — security | Encryption, access control. | TLS in transit, AES-256 at rest, role-based access. See [#where-does-my-data-live]. |
| Art. 33–34 — breach notification | Notify within 72 hours. | We commit to this in the DPA. We have not had a notifiable breach. |
| Art. 44+ — international transfers | SCCs or equivalent. | All Kommit infrastructure runs in the EU; no transatlantic transfer happens by default. |
Where GDPR is harder for an AI control plane
Two GDPR provisions get awkward for AI-agent workloads:
- —Article 22 — automated decision-making. If your agent makes decisions with legal or similarly significant effects, GDPR gives the data subject a right to human review. Kommit's approval workflows (see [#policy-library]) are how customers typically implement the human-in-the-loop layer that makes Article 22 satisfiable.
- —The right to erasure vs. tamper-evident logs. GDPR's erasure right collides with audit-log immutability. The acceptable approach (per EDPB guidance) is to retain the audit trail under the legitimate-interest basis for accountability, and erase the content of the record. Kommit's deletion path for in-scope audit content is documented in [#data-deletion-and-retention].
Sub-processor list
The current list of sub-processors Kommit uses is published at
/subprocessors. We notify customers 30 days before adding a new
sub-processor (more if your DPA negotiates a longer window).
DPIA support
If you're running a Data Protection Impact Assessment that covers
AI agents Kommit governs, contact security@getkommit.ai. We
maintain a DPIA template fragment for the Kommit portion of an
assessment that customers can adapt. It's not a substitute for
your own DPIA, but it covers the platform-side answers
consistently.