GDPR Erasure module · Complement to DPO Assist

DPO Assistant — GDPR Erasure: obsolete data purging with proof.

Keeping your GDPR register up to date is not enough. Real compliance means having erased data you no longer have the right to keep, and being able to prove it to the regulator. DPO Assistant observes your infrastructure, identifies files and records that have exceeded their retention period, presents them grouped, and deletes them in two steps with cryptographic proof. Your DPO moves from Excel spreadsheet manager to decision validator. Built for banks, life insurance, hospitals, trustees, SMEs and mid-sized companies in Luxembourg and cross-border.

Build my quote → Contact us
Main features

What the software actually does.

We find data that should have been erased yesterday

The tool connects to Microsoft 365, Google Workspace, SharePoint, your ECM, your databases, your network shares. It knows that a life insurance contract terminated 11 years ago should have been erased. It shows you the list, by client, by document type, with the count. No more bad surprises during a CNPD audit.

Two-step erasure: nothing gets broken by accident

First step: the document goes into quarantine, in an encrypted vault no business user sees. At its old location, a tombstone reads "this document is being deleted, contact the DPO". 30 to 120 days later, depending on sensitivity, definitive deletion with proof generation: cryptographic hash of the original file, applied rule, validator identity. If an employee needs the document during quarantine, they find it back in one click.

Your employees search for a document, they know in 2 seconds

Dedicated internal portal: you type a name, a client, a period, you immediately see if the document is active, in quarantine (with planned deletion date), or definitively deleted (with date and applied rule). For a document in quarantine, any employee can request motivated restoration from the DPO. No more "can you find the Smith contract signed in 2019?" emails.

Your GDPR register updates by itself

Article 30 records of processing are no longer an Excel sheet gathering dust between audits. It builds itself from what the tool observes: who processes what, for what purpose, for how long. When you remove a processing activity, the register updates. When the CNPD asks for your register, you export it as PDF or CSV in two clicks. Same for breach register (72h notification pre-filled) and data subject request tracking.

AI, but without sending your sensitive data to OpenAI

The tool automatically chooses where to run each AI computation based on sensitivity. An explanation note about a client terminated 11 years ago? Fine for Claude or OpenAI in European cloud. An analysis of a contract covered by banking or insurance secrecy? Exclusive routing to an AI model installed on your own server (vLLM, Ollama, local Mistral). No outbound to internet. That's what makes the tool usable by banks under Article 41 LSF.

Connected to your infrastructure without endless project

Native ready-to-use connectors for Microsoft 365, Google Workspace, SharePoint, Box, Dropbox, Alfresco, Nuxeo, M-Files, Salesforce, HubSpot, Dynamics 365, Odoo, SAP, Sage, PostgreSQL, MySQL, SQL Server, Oracle. You have a home-built app? You describe its API in natural language, AI generates the connector, we review, we deploy. A few days instead of months.

Your DPO gets time back for real advisory work

Today, your DPO spends half their time on admin tasks: keeping the register up to date, chasing business teams on retention durations, preparing audit exports. With DPO Assistant, those tasks are automated. Your DPO validates high-stake decisions, advises management on real topics, and passes CNPD inspections without stress.

Realistic demo on fictitious data before any purchase

Before you sign anything, we run the tool on a demo environment simulating a real Luxembourg life insurer (1,850 active contracts, 320 terminated). You see the 47 contracts expired for more than 10 years, you launch the erasure, you see the search portal in action, you generate the 72h CNPD notification. No slides, no promises: the tool on realistic data.

Use cases

Who it is for, and in what context.

Luxembourg life insurer or Free Provision of Services: obligation to keep AML/CFT records 5 years post-relationship and contracts up to 10 years. Beyond that, you should erase. DPO Assistant does it for you and keeps the proof.

Bank or PSF under Article 41 LSF banking secrecy: AI routing exclusively on-premise, no covered data leaves your premises. CSSF is comfortable.

Hospital or clinic: specific medical retention durations (20 years on average, longer for paediatrics), fine-grained management of Article 9 GDPR health data.

External DPO managing 10, 20, 50 clients: multi-organisation, data isolated between clients, one dashboard per mandate.

SME with 50+ staff that has never really erased a piece of data: we start with an audit, structure the register, launch the first quarantines, prove it.

Regulatory compliance

Regulatory compliance covered.

  • GDPR: automated Article 30 register, Article 17 execution (right to erasure) with proof, 72h Article 33 notifications, documented Article 35 DPIA.
  • Luxembourg 1 August 2018 law: CNPD organisation, sector-specific retention durations (5 years AML, 10 years life insurance, etc.).
  • NIS 2, DORA: the platform integrates into your ICT governance and feeds your Register of Information.
  • Article 41 LSF banking secrecy, insurance secrecy: exclusive on-premise AI routing, no outbound to public cloud.
  • AI Act 2024/1689: systematic human oversight on every erasure proposal, transparency on AI use, input/output logging.
  • European hosting by default, fully on-premise mode possible for the most sensitive sectors.
Architecture · Hosting

Technical stack and data sovereignty.

EU sovereign stack: Next.js web app, Python/FastAPI backend, PostgreSQL 16 database, configurable AI engine (Claude/OpenAI/Mistral in European cloud, or vLLM/Ollama/Llama/Qwen on-premise). AES-256 encrypted storage, keys in HashiCorp Vault, mandatory multi-factor authentication, Microsoft Entra ID or Keycloak SSO. Luxembourg Tier IV hosting by default, 100% on-premise mode for banks under Article 41 LSF secrecy. No critical dependency on non-European hyperscaler.

FAQ

Frequently asked questions

Concretely, what do you do more than an Excel register?
An Excel register describes what you should do. DPO Assistant does it. Your contracts terminated 11 years ago still lying in SharePoint: Excel doesn't see them, DPO Assistant finds them, presents the list, runs the erasure with proof. The difference between claiming compliance and actually being compliant.
What if a still-useful document is deleted by mistake?
Practically impossible. Deletion happens in two phases: first 30 to 120 days in quarantine, accessible via the internal portal. During that period, anyone can request restoration from the DPO. Only after quarantine without contestation does deletion become definitive. A quarter of the companies we work with restore at least one item in the first 6 months: proof that the safety net works.
Do you really guarantee no sensitive data goes to OpenAI?
Yes. The tool automatically classifies each AI task by sensitivity, 1 to 4. Level 4 (banking secrecy, insurance secrecy, Article 9 GDPR medical data): the computation runs exclusively on a local AI model installed on your infrastructure. No outbound internet connection for that task. That's what lets CSSF-supervised banks and hospitals use the tool without exception.
How long until operational?
6 months for a daily-usable version (inventory, obsolescence detection, erasure, internal portal), 12 months for the full version (automated registers, extended connectors, demo profile). You can start erasing from month 6.
How much does it cost?
Real-consumption pricing: monitored data volume, number of activated modules, AI consumption. For a 100-staff SME with 2 TB of documents: roughly 1,500 to 3,500 EUR/month. For a bank or insurer with on-premise and Article 41 LSF secrecy: 6,000 to 18,000 EUR/month. Tailored quote within 24h after initial scoping. Degressive pricing for multi-client external DPO firms.
Combine with

Our complementary services.

Try this software on your real data.

POC with no long-term commitment. Tailored quote within one business day.

Build my quote →