EU General Data Protection Regulation

GDPR-compliant workflow automation infrastructure

Automation platforms process data on behalf of your business — connecting apps, transforming records, triggering workflows. When that data includes personal information, your automation infrastructure is a GDPR data processor. We ensure yours is compliant.

Request a DPA View compliance overview

What is the GDPR?

Workflow automation platforms sit at the intersection of your entire software stack. Every webhook received, every API call made, every record transformed may contain personal data. GDPR applies to every system that processes data — not just the database where it rests. That includes your automation platform.

In force since

25 May 2018

Scope

Any org processing EU personal data

Max fine

€20M or 4% of global turnover

Breach reporting

72 hours

Key GDPR obligations for automation platforms

Automation platforms are data processors — they handle personal data flowing between your business systems. These six articles govern what obligations that creates.

Art. 5 — Principles of processing

Automation workflows must process data only for the purposes for which it was collected. Logging of personal data within workflow runs should be minimized and subject to retention limits. We support configurable execution log retention.

Art. 6 — Lawful basis

Processing personal data via automation requires a valid lawful basis — typically the same basis that applies to the original data (contract, legitimate interest). Automation is a processing activity and should appear in your Record of Processing Activities (Art. 30).

Art. 17 — Right to erasure

If a data subject requests deletion, you must remove personal data from workflow execution logs and any intermediate storage. We support configurable log retention windows and execution history purge.

Art. 28 — Data Processor

We act as your data processor for any personal data processed through managed workflows. Our DPA covers Activepieces, Kestra, and Flowise — and the infrastructure sub-processors involved.

Art. 32 — Security of processing

Automation platforms need the same security as any data processor. Our deployments use encrypted storage, isolated tenant environments, and access controls — protecting personal data processed through workflows.

Art. 33 — Breach notification

If a breach affects personal data on our managed automation infrastructure, we notify you within 72 hours so you can meet your reporting obligation to your supervisory authority.

Art. 30 — automation as a documented processing activity

Under GDPR Art. 30, data controllers must maintain a Record of Processing Activities (RoPA). Your automation platform is likely one of them — it processes personal data from CRMs, support systems, marketing tools, and more.

Document your automation workflows in your RoPA: what data flows through each workflow, for what purpose, and under which lawful basis
Data minimization in automation: workflows should only request the fields they need — avoid passing full records when only one attribute is required
Execution logs: configure retention limits so the system purges personal data in workflow execution logs after your defined retention period