Continuous evidence for GDPR

Article 32 security of processing + Article 33 breach notification.

See your GDPR readiness in 60 seconds. Free, no signup.

Sample evidence

acme-corp.com · GDPR

Live

Art. 32(1)(a) Pseudonymisation & encryption

Encrypted transport (TLS 1.2+)

Art. 32(1)(b) Confidentiality of processing

Email authentication (SPF / DKIM / DMARC)

Art. 32(1)(b) Integrity of processing

Secure HTTP response headers

Art. 33 Notification of personal data breach

Credential exposure monitoring

Updated continuously+ 4 more controls

Why it matters

GDPR in 30 seconds

GDPR Article 32 demands appropriate technical measures considering the state of the art. Article 33 requires controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach. You cannot meet either obligation without continuous external visibility.

Scope

Any organisation processing personal data of EU/EEA residents, regardless of where the organisation is established.

Exposure

Up to €20M or 4% of global annual turnover, whichever is higher.

Clause-by-clause mapping

How Security Monitor evidences GDPR

Each row links a GDPR clause to the external check we perform and the evidence it produces. Mappings are reviewed by our compliance team and updated when standards change.

GDPR clause	What it requires	How we evidence it
TLS-1 Art. 32(1)(a) Pseudonymisation & encryption	Implement encryption of personal data, including in transit between data subject and controller.	Encrypted transport (TLS 1.2+) We verify the certificate chain, expiry, supported TLS versions and cipher suites on every public hostname.
EMAIL-1 Art. 32(1)(b) Confidentiality of processing	Ensure ongoing confidentiality of processing systems, including authenticated email transport.	Email authentication (SPF / DKIM / DMARC) We resolve and validate SPF, DKIM and DMARC records, including DMARC enforcement policy and reporting addresses.
WEB-1 Art. 32(1)(b) Integrity of processing	Hardened web-facing services to maintain integrity of personal data submitted via web forms.	Secure HTTP response headers We test for HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy and X-Content-Type-Options on the live site.
BREACH-1 Art. 33 Notification of personal data breach	Notify supervisory authority within 72 hours of awareness of a personal data breach (Art. 33(1)) and affected data subjects (Art. 34) where high risk.	Credential exposure monitoring We query Have I Been Pwned for breaches involving the monitored domain and surface affected accounts.
REP-1 Art. 32(1)(d) Process for testing & evaluating effectiveness	A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.	Reputation & threat intelligence We cross-check the domain and its IPs against VirusTotal, Shodan, Spamhaus, URLhaus and Google Safe Browsing.
EXP-1 Art. 5(1)(f) Integrity & confidentiality	Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised access.	Exposed files & admin panels We probe for publicly accessible .env, .git, backups, admin panels and other sensitive paths that should never be reachable.
DNS-1 Art. 32(1)(b) Resilience of processing systems	Ensure ongoing availability and resilience of processing systems and services.	DNS hygiene & DNSSEC We resolve A, AAAA, MX, NS, CAA and DNSSEC records and flag anomalies, dangling records and missing controls.
SUB-1 Art. 28 & Art. 30 Processors and records of processing	Engage only processors providing sufficient guarantees and maintain records of processing including categories of recipients. The third-party data flow map surfaces which vendors actually receive personal data via your public site — the starting point for an accurate Art. 30 register and ROPA.	Third-party data flow map (subdomains & external services) We enumerate subdomains via Certificate Transparency logs, fingerprint every third-party service they load (analytics, payments, chat, CDNs, tag managers, ad networks, fonts) and map where browser-side data flows. This is the externally-observable evidence regulators ask for under supplier, supply-chain and processor-inventory clauses.