GDPR & Data Protection¶
Carbon Connect is designed with data protection as a core principle, not an afterthought. As a platform serving European businesses, GDPR compliance is embedded in our architecture and operations.
What Data We Collect¶
Carbon Connect processes six categories of data:
| Category | Examples | Purpose | Contains Personal Data? |
|---|---|---|---|
| User data | Email, name, password hash, role | Account management and authentication | Yes |
| Company data | Company profile, NACE codes, carbon profile, emissions data | Grant matching and eligibility assessment | Limited (business data) |
| Grant data | Titles, descriptions, eligibility criteria, deadlines | Grant discovery and search | No (public data) |
| Generated content | AI-drafted application sections | Application assistance | Limited |
| Documents | User-uploaded application attachments | Application submission support | Potentially |
| Operational data | Logs, metrics, sync history | Platform operation and improvement | Minimal |
Data Minimization
We follow the GDPR principle of data minimization -- we only collect data that is necessary for the platform to function. We do not collect data "just in case" or for undisclosed purposes. Every field has a clear, documented purpose tied to a platform feature.
Where Data Is Stored¶
All data is stored within the European Union, specifically in the eu-north-1 (Stockholm) AWS region.
| Storage System | What It Holds | Encryption | Location |
|---|---|---|---|
| PostgreSQL (RDS) | User accounts, company profiles, grants, matches, applications | AES-256 with AWS KMS keys | EU (Stockholm) |
| S3 (Documents) | Uploaded application attachments, tenant-scoped | AES-256 server-side encryption | EU (Stockholm) |
| S3 (Media) | Logos, photos, media files | AES-256 server-side encryption | EU (Stockholm) |
| S3 (Logs) | Application and access logs | AES-256 server-side encryption | EU (Stockholm) |
| Valkey (Cache) | Temporary session data, task queues | At-rest + in-transit encryption | EU (Stockholm) |
| Meilisearch | Search index (non-PII grant data only) | Encrypted filesystem | EU (Stockholm) |
No Data Leaves the EU
All processing, storage, and backup occurs within EU data centers. There are no cross-border transfers to non-EU jurisdictions. Third-party API calls (Claude, Climatiq) transmit only the minimum data necessary for the specific operation, and API providers maintain their own GDPR compliance programs.
Encryption¶
At Rest¶
Every piece of stored data is encrypted:
| System | Encryption Standard | Key Management |
|---|---|---|
| Database | AES-256 | Customer-managed AWS KMS key |
| File storage | AES-256 (SSE-S3) | AWS-managed keys with bucket keys |
| Cache | Native at-rest encryption | AWS-managed |
In Transit¶
All data in motion is encrypted with TLS 1.2+:
- Browser to load balancer
- Load balancer to application servers
- Application servers to database
- Application servers to cache
- Application servers to file storage
Access Controls¶
Multi-Tenant Isolation¶
Every customer's data is isolated through row-level security enforced at the database level. This means:
- One customer can never query, view, or modify another customer's data
- The isolation is enforced by the database engine itself, not just by application logic
- File storage is partitioned by tenant (
s3://bucket/tenant-{id}/) - Even internal team access follows the same isolation rules
User Authentication¶
- Passwords are never stored in readable form (bcrypt hashing)
- Sessions use JWT tokens with configurable expiration
- Token blacklisting enables immediate session revocation
- Failed login attempts are rate-limited
Infrastructure Access¶
- All credentials stored in AWS Secrets Manager (never in code)
- Infrastructure access requires IAM roles with least-privilege permissions
- Every access to secrets is logged and auditable
- Network security groups restrict which systems can communicate
Data Subject Rights (DSR)¶
Under GDPR, individuals have specific rights regarding their personal data. Here is our implementation status:
| Right | Description | Status |
|---|---|---|
| Right to access | Users can request a copy of their data | Planned (/api/v1/users/me/export) |
| Right to rectification | Users can correct inaccurate data | Implemented (profile editing) |
| Right to erasure | Users can request deletion of their data | Planned (soft delete with 30-day grace period) |
| Right to portability | Users can receive data in machine-readable format | Planned (JSON export) |
| Right to restriction | Users can limit processing of their data | Planned |
| Right to object | Users can object to specific processing activities | Planned |
DSR Implementation Timeline
Export and deletion endpoints are planned for implementation before production launch. The architecture supports these capabilities -- the remaining work is building the specific API endpoints and administrative workflows.
GDPR requires responses to data subject requests within 30 days.
Data Retention¶
| Data Type | Retention Policy | Notes |
|---|---|---|
| Active accounts | Retained while account is active | User-controlled |
| Deleted accounts | 30-day soft delete, then permanent deletion | Grace period for accidental deletion |
| Application logs | 365 days | Compliance and debugging |
| S3 documents | Intelligent Tiering: Archive after 90 days, Deep Archive after 180 days | Cost-optimized long-term storage |
| Non-current file versions | 90 days (documents), 30 days (media) | Automatic cleanup |
| Grant data | Retained indefinitely | Public data, no PII |
| Generated AI content | Retained with associated application | Follows application lifecycle |
Retention Policy Formalization
Formal retention periods by data category are being finalized for production. The technical infrastructure (S3 lifecycle policies, database capabilities) is already in place.
Security Controls Supporting GDPR¶
| GDPR Principle | How We Implement It |
|---|---|
| Lawfulness, fairness, transparency | Clear data collection purposes; no hidden processing |
| Purpose limitation | Each data field has a documented purpose tied to a feature |
| Data minimization | Only necessary data collected |
| Accuracy | Users can update their data at any time |
| Storage limitation | Lifecycle policies and retention schedules |
| Integrity and confidentiality | AES-256 encryption, TLS, access controls, audit logging |
| Accountability | Automated security scanning, infrastructure-as-code, documented controls |
Third-Party Data Processing¶
| Service | Data Shared | Purpose | GDPR Status |
|---|---|---|---|
| Anthropic (Claude) | Company description, grant requirements (minimal) | Application text generation | US-based; data processing agreement required |
| Climatiq | Activity data (kWh, liters, km) | Emission factor calculations | EU-based; GDPR compliant |
| AWS | All platform data (encrypted) | Infrastructure hosting | EU region (Stockholm); GDPR compliant |
| Meilisearch | Grant text (non-PII) | Search index | Self-hosted on AWS EU infrastructure |
Compliance Roadmap¶
| Item | Status | Priority |
|---|---|---|
| Core encryption (at rest + in transit) | Implemented | -- |
| Multi-tenant data isolation | Implemented | -- |
| Secrets management | Implemented | -- |
| Audit logging | Implemented | -- |
| Automated security scanning | Implemented | -- |
| DSR export/delete endpoints | Planned | High |
| Formal retention policy | Planned | High |
| Data Protection Impact Assessment (DPIA) | Planned | High |
| Data Processing Agreement (DPA) template | Planned | Medium |
| Cookie consent management | Planned | Medium |