GDPR Compliance

Gremia is designed for EU compliance from day one. This page covers GDPR, EU AI Act, and data protection measures.

Data Residency

All data is stored in the EU region via Supabase (PostgreSQL). No personal data is transferred outside the European Economic Area (EEA).

Data type	Storage location	Encryption
User accounts	Supabase EU	TLS + RLS
Manifests	Supabase EU	AES-256-GCM
Chat sessions	Supabase EU	AES-256-GCM
Audit logs	Supabase EU	AES-256-GCM
Consent records	Supabase EU	TLS + RLS

Consent Management

Gremia implements purpose-based consent collection per GDPR Article 6.

Consent Purposes

Purpose	Description	Required
essential	Core service functionality	Yes (legitimate interest)
analytics	Usage analytics for service improvement	No
marketing	Marketing communications	No
ai_processing	AI model processing of user data	Yes (for service use)

Consent Flow

sequenceDiagram
    participant U as User
    participant B as Builder
    participant C as Cloud
    participant DB as Database

    U->>B: First visit
    B->>U: Show ConsentBanner
    U->>B: Accept/decline purposes
    B->>C: POST /api/v1/privacy/consent
    C->>DB: Store ConsentRecord
    C-->>B: Consent confirmed
    Note over DB: Records: purpose, granted, timestamp, source, version

Consent API

Grant consent:

curl -X POST https://api.gremia.io/api/v1/privacy/consent \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "purpose": "analytics",
    "source": "web",
    "version": "1.0"
  }'

Revoke consent:

curl -X DELETE https://api.gremia.io/api/v1/privacy/consent/analytics \
  -H "Authorization: Bearer $TOKEN"

List active consents:

curl https://api.gremia.io/api/v1/privacy/consent \
  -H "Authorization: Bearer $TOKEN"

Consent Banner

The web app displays a ConsentBanner component on first visit. Users can:

• Accept all purposes
• Decline optional purposes
• Review and change preferences at any time via Settings

Data Subject Access Requests (DSAR)

Users can export all their personal data per GDPR Article 15.

Data Export

curl https://api.gremia.io/api/v1/privacy/data-export \
  -H "Authorization: Bearer $TOKEN"

The response includes:

Section	Content
user_id	The user's anonymized identifier
consent_records	All consent grants and revocations
audit_entries	Actions performed by the user
erasure_requests	History of erasure requests

Processing time

Data exports are generated in real-time. Large datasets may take a few seconds to compile. The response is JSON-formatted for portability.

Right to Erasure (Article 17)

Users can request complete erasure of their personal data.

Erasure Flow

stateDiagram-v2
    [*] --> Requested: User submits erasure request
    Requested --> Processing: Admin reviews
    Processing --> Completed: Data erased
    Processing --> Rejected: Legal hold
    Completed --> [*]
    Rejected --> [*]

Request erasure:

curl -X POST https://api.gremia.io/api/v1/privacy/erasure \
  -H "Authorization: Bearer $TOKEN"

Check status:

curl https://api.gremia.io/api/v1/privacy/erasure/{request_id} \
  -H "Authorization: Bearer $TOKEN"

What Gets Erased

Data	Action
User profile	Deleted
Manifests	Deleted (or anonymized if shared with team)
Chat sessions	Deleted
Consent records	Marked as erased (audit trail preserved)
Audit entries	Actor ID anonymized
Billing data	Retained per legal obligation (invoices)
Certificates	Revoked and records purged

Row-Level Security (RLS)

Supabase enforces Row-Level Security policies on all tables:

• Users can only read/write their own data
• Organization members can access shared resources within their org
• Admin users have elevated access for key rotation and system management
• The service role key (used by the orchestrator) bypasses RLS for cross-user operations

Example RLS policy:

CREATE POLICY "Users can read own manifests"
  ON manifests
  FOR SELECT
  USING (auth.uid() = user_id);

CREATE POLICY "Users can insert own manifests"
  ON manifests
  FOR INSERT
  WITH CHECK (auth.uid() = user_id);

EU AI Act Compliance

Gremia addresses EU AI Act requirements for transparency and accountability:

Transparency

Requirement	Implementation
AI system identification	All AI-generated content is marked with metadata
Model disclosure	Users can see which model tier processed their request
Decision explanation	Agent reasoning is logged in execution steps
Human oversight	Tool approval gates require explicit user consent

Risk Classification

Gremia operates as a limited-risk AI system:

• It does not make autonomous decisions about natural persons
• It does not process biometric data
• It does not operate in high-risk domains without human oversight

For high-risk industry deployments (healthcare, finance), additional safeguards apply:

• All tool calls require approval (approvals_required: true)
• Security level set to restricted
• Full audit trail with extended retention

Record Keeping

Gremia maintains records per Article 12 of the EU AI Act:

• System description — Documented in this documentation
• Data processing records — Audit log with actor, action, resource, result
• Risk assessments — Per-industry security configurations in manifests
• Incident logs — Error events tracked in execution history

Data Processing Agreement (DPA)

Enterprise customers receive a Data Processing Agreement that covers:

• Subprocessors — Anthropic (AI models), Supabase (database), Stripe (billing)
• Data transfer mechanisms — Standard Contractual Clauses (SCCs) where applicable
• Breach notification — Within 72 hours per GDPR Article 33
• Data retention — Configurable per plan (30 days to 10 years)
• Technical measures — AES-256-GCM encryption, mTLS, audit logging

Contact privacy@gremia.io to request a DPA.

Security Contact

Report security vulnerabilities to security@gremia.io. We follow responsible disclosure practices and aim to respond within 48 hours.