GDPR Readiness - Comprehensive Proof Document

Version: 1.0.0
Last Updated: 18-11-2025
Status: GDPR Compliant - Production Ready
Legal Entity: Chain-Fi Limited (England & Wales)
Data Protection Officer: privacy@chain-fi.io

Overview

This document provides comprehensive evidence of ChainGuard's GDPR compliance across all technical and organizational measures. It maps GDPR articles to specific technical implementations, organizational procedures, and architectural evidence.

ChainGuard (operated by Chain-Fi Limited, registered in England & Wales) is a non-custodial Web3 security and identity infrastructure platform that has implemented comprehensive technical and organizational measures to ensure full GDPR compliance.

Key Compliance Highlights

Data Controller Status: ChainGuard acts as a controller for initial onboarding, account creation, and KYC/AML checks
Data Minimization: Only collects data strictly necessary for service delivery, security, and legal compliance
Purpose Limitation: Clear privacy policy, consent management, and scope-based data access
Storage Limitation: Automated retention policies with defined retention periods
Data Subject Rights: Full implementation of all GDPR rights (access, rectification, erasure, portability, restriction, objection)
Security by Design: AES-256 encryption at rest, TLS 1.3+ in transit, RBAC, network segmentation
Article 30 Records: Comprehensive compliance logging of all data processing activities
Data Protection Impact Assessments: Privacy impact assessments for new features
Breach Notification: 72-hour notification procedures in place
Sub-Processor Management: Risk assessment and contractual safeguards for all vendors

Legal Basis for Processing

Processing ActivityLegal Basis (GDPR Art. 6)Evidence
Account Creation & AuthenticationContract Performance (6(1)(b))User agreement, Terms of Service
KYC/AML ChecksLegal Obligation (6(1)(c))AML directives, regulatory requirements
Security LoggingLegitimate Interest (6(1)(f))Security policy, fraud prevention
Billing & Tax RecordsLegal Obligation (6(1)(c))UK/EU tax law, VAT requirements
Marketing CommunicationsConsent (6(1)(a))Opt-in consent, unsubscribe mechanism
Service Improvement AnalyticsLegitimate Interest (6(1)(f))Privacy policy, anonymization

For detailed information on legal basis, see our Data Protection & Privacy page.

Data Subject Rights Implementation

ChainGuard provides comprehensive mechanisms for users to exercise their GDPR rights:

Right to Access (Article 15)

  • User data export via OAuth Portal
  • Response within one month
  • Portable data formats (JSON/CSV)
  • Complete data package including profile, wallets, transactions, consent history

Right to Rectification (Article 16)

  • Profile update capabilities in OAuth Portal
  • Self-service portal for correctable data
  • Email update with verification
  • All changes logged in compliance_events

Right to Erasure (Article 17)

  • Account deletion procedures
  • Automated deletion of non-essential data
  • Retention of legally required records (tax, AML)
  • Subject to legal retention requirements (6-7 years for tax, 5 years for AML)

Right to Portability (Article 20)

  • Data export in machine-readable format (JSON/CSV)
  • Complete user data package
  • Secure download link

Right to Restriction (Article 18)

  • Account suspension capabilities
  • Data restriction procedures
  • Processing limited to legal obligations only

Right to Object (Article 21)

  • Marketing opt-out mechanism
  • Legitimate interest processing can be objected to
  • Clear objection procedures

Request Channel: privacy@chain-fi.io

For detailed information on data subject rights, see our Data Protection & Privacy page.

Data Protection by Design & by Default

Technical Measures

Encryption:

  • At Rest: AES-256 for databases, file storage, key management
  • In Transit: TLS 1.3+ for all HTTP/HTTPS, mTLS for service-to-service
  • Key Management: Hashicorp Vault with rotation policies

Access Controls:

  • Multi-factor authentication (password + wallet-based 2FA)
  • Role-based access control (RBAC)
  • OAuth scope-based access
  • Principle of least privilege
  • Annual access reviews

Pseudonymization:

  • User IDs, emails, wallet addresses hashed in logs
  • Device fingerprints hashed
  • Transaction data pseudonymized where possible

Network Security:

  • Network segmentation (5 security zones)
  • Firewall rules and DDoS protection
  • WAF (Web Application Firewall)
  • Intrusion detection and prevention

Organizational Measures

Privacy Impact Assessments:

  • Mandatory for all new features processing personal data
  • Risk assessment and mitigation measures
  • Documentation and approval process

Staff Training:

  • Regular GDPR compliance training
  • Data protection awareness
  • Security best practices

Audit Trails:

  • Comprehensive logging of all data access and processing
  • Immutable log storage
  • Access controls on log data
  • 7-year retention

Incident Response:

  • Detailed breach response plan
  • 72-hour notification procedures
  • Roles and responsibilities defined
  • Communication procedures

For detailed technical architecture, see our System Architecture Overview documentation.

Data Processing Records (Article 30)

ChainGuard maintains comprehensive records of all data processing activities:

Compliance Logger Service:

  • Tracks all data processing activities
  • Storage: PostgreSQL compliance_events table
  • 7-year retention
  • Immutable log storage

Event Categories:

  • Authentication events (login, logout, registration)
  • OAuth events (authorization grants, token issuance)
  • Data modification events (profile updates, wallet linking)
  • Security events (failed logins, suspicious activity)
  • 2FA events (setup, verification, resets)
  • Access control events (permission changes, role assignments)

Log Format:

  • Structured JSON with standardized fields
  • Timestamp, user ID, event type, IP address, user agent, metadata
  • Access controls on log data

For detailed information on compliance logging, see our System Architecture Overview documentation.

Data Retention Policies

Data CategoryRetention PeriodLegal Justification
Billing & Tax Records6-7 yearsUK/EU tax law
AML Logs5 yearsAML directives
General Logs6-36 monthsSecurity & debugging
KYC DataBased on providerSumsub retention policy
Wallet & Device BindingAs long as account existsService delivery
Compliance Events7 yearsISO 27001, GDPR

Automated retention policies ensure data is deleted after the retention period (subject to legal requirements).

For detailed information on data retention, see our Data Protection & Privacy and Governance & Record-Keeping pages.

Security of Processing

Encryption

At Rest:

  • PostgreSQL: AES-256 encryption (cloud provider managed)
  • File Storage: AES-256 encryption
  • Key Management: Hashicorp Vault with encrypted key storage

In Transit:

  • TLS 1.3+ for all HTTP/HTTPS communications
  • mTLS for service-to-service authentication
  • Certificate management with automated rotation

Access Controls

  • Multi-factor authentication (password + wallet-based 2FA)
  • Role-based access control (RBAC)
  • OAuth scope-based access
  • Principle of least privilege
  • Annual access reviews

Network Security

  • Network segmentation (5 security zones)
  • Firewall rules and DDoS protection
  • WAF (Web Application Firewall)
  • Intrusion detection and prevention

For detailed security architecture, see our System Architecture Overview documentation.

Data Breach Notification

Article 33 - Notification to Supervisory Authority

Procedure:

  1. Detection via automated monitoring, security event detection, or user reports
  2. Assessment by security team (severity and impact)
  3. Notification coordinated by DPO to supervisory authority within 72 hours
  4. Documentation of breach details, affected data, and mitigation measures

Roles:

  • Security Engineering Lead: Incident commander, breach assessment
  • Data Protection Officer: Coordinates notification to supervisory authority
  • Backend Engineering Team: Technical investigation and remediation

Article 34 - Communication to Data Subject

Procedure:

  • High-risk breaches: notification to affected users
  • Communication via email to registered email address
  • Clear explanation of breach, risks, mitigation measures, and contact information

For detailed incident response procedures, see our System Architecture Overview documentation.

Data Transfers & Third Countries

Transfer Locations

  • UK: Primary data storage (Chain-Fi Limited registered in England & Wales)
  • EU: Data replication for EU users
  • US: Cloud infrastructure (with appropriate safeguards)

Transfer Safeguards

EU → US Transfers:

  • Standard Contractual Clauses (SCCs)
  • DPA with cloud providers and sub-processors

UK → US Transfers:

  • UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs
  • DPA with cloud providers and sub-processors

Other Regions:

  • Equivalent safeguards as required by local law (PDPA, UAE DP Law, APPI, PIPA)

For detailed information on data transfers, see our Data Protection & Privacy page.

Sub-Processors & Vendor Management

Sub-Processor Inventory

Sub-ProcessorPurposeLocationSafeguards
StripePayment processingUS, EUDPA, SOC 2 Type II
SumsubKYC/AML (optional)EU, USDPA, ISO 27001, SOC 2
Cloud ProviderInfrastructureUK, EU, USDPA, SCCs, ISO 27001
Logging/MonitoringOperational logsEU, USDPA, SCCs

Vendor Management Process

Onboarding:

  1. Security questionnaire
  2. Compliance certification review (ISO 27001, SOC 2, GDPR)
  3. Contract negotiation (DPA, liability clauses)
  4. Risk assessment
  5. Approval process

Ongoing Management:

  • Annual security assessments
  • Regular contract reviews
  • Incident notification procedures
  • Performance monitoring
  • Compliance verification

For detailed information on sub-processors, see our Data Protection & Privacy page.

GDPR Article Mapping

This document provides comprehensive mapping of GDPR articles to technical implementations. Key articles covered:

Chapter I - General Provisions

Chapter II - Principles

Chapter III - Rights of the Data Subject

Chapter IV - Controller and Processor

Chapter V - Transfers

Architecture Evidence

System Architecture Documentation

Primary Reference: System Architecture Overview

Key Sections:

  • Data Protection Architecture (GDPR Alignment)
  • Encryption Architecture
  • Security Architecture
  • Audit Logging Architecture
  • Access Control Matrix
  • ISO 27001 Compliance Architecture

Component Architecture Documents:

  • Backend Server Architecture - Authentication, OAuth, compliance logging
  • OAuth Portal Architecture - User management, consent screens, data export
  • Frontend DApp Architecture - Privacy policy, compliance center
  • Mobile App Architecture - 2FA, secure storage
  • Forwarder Server Architecture - Transaction processing, security
  • Blockchain Listener Architecture - Transaction monitoring
  • Payment Service Architecture - Payment processing, Stripe integration
  • Vault Architecture - Non-custodial vault operations

Compliance Documentation

Primary References:

Compliance Monitoring & Auditing

Internal Auditing

Compliance Monitoring:

  • Regular review of compliance logs
  • Access control audits
  • Data retention policy compliance
  • Sub-processor monitoring
  • Security event analysis

Audit Frequency:

  • Access Reviews: Annual
  • Compliance Log Review: Quarterly
  • Security Audits: Annual
  • Vendor Assessments: Annual
  • DPIA Reviews: As needed (new features)

External Auditing

Certifications & Assessments:

  • ISO 27001: Architecture ready for certification
  • SOC 2: Sub-processors (Stripe, Sumsub) certified
  • GDPR Compliance: Self-assessment and comprehensive documentation

Audit Readiness:

  • Comprehensive documentation
  • Evidence trail for all processing activities
  • Compliance logging (7-year retention)
  • Access controls and audit trails

Full Documentation

This page provides the complete GDPR Readiness Proof Document with detailed article-by-article mapping, technical implementations, and evidence trail.

This comprehensive document includes:

  • Complete GDPR article mapping (50+ articles)
  • Technical implementation evidence
  • Organizational measures documentation
  • Architecture references
  • Compliance monitoring procedures
  • Full evidence trail

Related Documentation

Contact

Data Protection Officer (DPO)
Email: privacy@chain-fi.io

Privacy Inquiries
Email: privacy@chain-fi.io

Legal Entity
Chain-Fi Limited
Registered in England & Wales

Document Version: 1.0.0
Last Updated: 18-11-2025
Status: GDPR Compliant - Production Ready

ChevronLeft iconDocumentationCompliance CenterChevronRight icon
GDPR Readiness - ChainGuard Compliance Center | ChainGuard