Obligations as code paths, not PDFs
Erasure by crypto-shred, retention windows, consent and DPA tracking in-product, EU residency tagging, tamper-evident audit chains, and legal hold.
Compliance machinery, not compliance theater
For teams that need a GDPR email API, the obligations here are mechanical: erasure, retention, consent, audit, and hold are code paths with defined behavior, not policies asserted in a document and hoped about in production.
How it works
| Obligation | Mechanism |
|---|---|
| Erasure | GDPR erasure by crypto-shred: destroying a key destroys the data it protected, without corrupting the tamper-evident audit ledger |
| Retention | Retention windows that age data out on schedule |
| Consent | Consent records tracked in-product, alongside DPA and subprocessor tracking |
| Residency | Data residency tagging — EU today |
| Audit | Tamper-evident hash-chained audit trails |
| Legal hold | Supersedes erasure while active; normal rules resume when it lifts |
Operator access is part of the record too: a vendor-access transparency log: a tamper-evident chain that records operator access, so “we never looked” is checkable, not promised.
The evidence
Erasure and auditability pull in opposite directions: one wants data gone, the other wants history intact. Crypto-shred resolves the conflict — destroying a key destroys the data it protected, while the audit chain keeps its integrity. You get a provable "it's gone" and a provable "here's what happened," at the same time, about the same events.
Honest limits
Residency tagging covers the EU today — we won't sell you regions that don't exist yet. Legal hold beats erasure only while a hold is active, and that precedence is documented rather than discovered. And no feature list makes you compliant: these are mechanisms your process can rely on, not a substitute for having one.
Where to go next
The contractual side lives in the DPA and the privacy policy. Erasure and custody rest on the encryption layer; the enterprise door has the complete control picture. Comparing compliance-focused vendors? The Paubox comparison draws the boundary honestly.
Questions, answered plainly
How can you erase data and keep an audit trail at once?
GDPR erasure by crypto-shred: destroying a key destroys the data it protected, without corrupting the tamper-evident audit ledger. The record of events survives, and the personal data inside them doesn't.
Do you offer a DPA?
Yes — the data processing agreement is published, and DPA status is tracked in-product alongside consent records and subprocessor tracking, so the paperwork and the system agree.
Where does data live?
Data residency tagging covers the EU today. We state the region that exists rather than selling regions that don't yet.
What wins: legal hold or an erasure request?
Legal hold, while it's active — held records survive deletion requests for as long as litigation requires, and normal erasure resumes when the hold lifts. The precedence is deliberate and visible, not a quiet exception.