GDPR Compliance
Tayra provides built-in support for key GDPR requirements through its field-level encryption, crypto-shredding, and data subject access features. Rather than bolting compliance on as an afterthought, Tayra makes GDPR compliance a natural consequence of how your data is stored and managed.
GDPR Article Mapping
The following table maps specific GDPR articles to the Tayra features that help you comply:
| GDPR Article | Requirement | Tayra Feature |
|---|---|---|
| Art. 5 | Data minimization | Field-level encryption — only annotated fields are encrypted, keeping non-sensitive data accessible |
| Art. 15 | Right of access | Data Subject Access export — structured report of all PII held for a subject |
| Art. 17 | Right to erasure | Crypto-shredding — delete the key and all encrypted data becomes permanently unreadable |
| Art. 20 | Data portability | Portable JSON export — machine-readable export of personal data |
| Art. 25 | Data protection by design | Attribute-based encryption — [PersonalData] and [DataSubjectId] make protection declarative |
| Art. 30 | Records of processing | Audit trail — structured TayraAuditEvent records for all key lifecycle operations; PII Data Map — automated inventory of all PII fields, encryption status, and integration coverage |
| Art. 32 | Security of processing | AES-256-GCM authenticated encryption with per-subject keys |
| Art. 33 | Breach notification | Breach assessment — impact analysis and DPA notification report generation |
| Art. 34 | Communication to data subject | Breach report — subject notification content with recommended actions |
How It Works
Tayra's GDPR compliance is built on a simple principle: each data subject gets their own encryption key. This architecture enables:
Crypto-shredding — Deleting a subject's key makes all their data permanently unreadable, fulfilling erasure requests without modifying database records.
Key rotation — Keys can be rotated with versioning, so old data remains decryptable while new data uses the latest key.
Data retention — A background service automatically shreds keys past their retention period.
Access reporting — Registered entity providers feed data into structured reports that satisfy access and portability requests.
Breach assessment — The key store is queried to determine exactly which subjects and data categories are affected by an incident.
Feature Pages
Tayra.Core (Essentials)
These features ship with Tayra.Core and provide the technical foundation for GDPR compliance:
- Crypto-Shredding — GDPR Art. 17 Right to Erasure
- Key Rotation — Versioned key management and re-encryption
- Key Retention — Automated data retention with TTL policies
- Partial Redaction — Masked values after crypto-shredding
Tayra.Compliance (Compliance Reporting)
These features require the separate Tayra.Compliance package and a Compliance edition license. They automate the reporting and tooling that GDPR requires — the data protection itself is already handled by Tayra.Core.
- Data Subject Access — GDPR Art. 15 and Art. 20 structured exports
- Breach Notification — GDPR Art. 33/34 incident assessment and notification reports
- PII Data Map — GDPR Art. 30 Records of Processing Activities
- Compliance Reports — Formatted HTML reports for Art. 30, Art. 15, Art. 33/34
See Also
- Getting Started — Installation and basic setup
- Attributes — PersonalData and DataSubjectId reference
- Key Stores — Production key store configuration