What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that governs how organizations collect, process, store, and share personal data of individuals within the EU and European Economic Area.
Also known as: GDPR, General Data Protection Regulation
GDPR establishes seven core principles for data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. The regulation grants individuals significant rights over their data, including the right to access, rectification, erasure ("right to be forgotten"), data portability, and the right to object to processing.
The integrity and confidentiality principle (Article 5(1)(f)) requires that personal data be processed with "appropriate security," including protection against unauthorized access, accidental loss, or destruction. Article 32 specifically mandates that organizations implement technical measures proportionate to the risk, explicitly naming encryption and pseudonymization as appropriate measures. Data breaches must be reported to supervisory authorities within 72 hours, with potential fines of up to 4% of annual global turnover or EUR 20 million.
GDPR's data minimization and storage limitation principles have direct implications for how organizations handle credentials and secrets. Keeping passwords, API keys, or access tokens in email threads or persistent chat logs creates unnecessary stores of data that must be secured and eventually deleted. Organizations that cannot demonstrate appropriate security measures for all data they hold — including operational secrets — face regulatory risk.
How Vaulted uses GDPR
Vaulted aligns with core GDPR principles by design. Data minimization is achieved through self-destructing links that automatically delete secrets after a configured number of views or expiration period — no data is retained beyond its intended use. The storage limitation principle is enforced through TTL-based auto-expiry in the data store. Client-side AES-256-GCM encryption and the zero-knowledge server architecture ensure integrity and confidentiality — even Vaulted's infrastructure cannot access shared plaintext, reducing the scope of any potential data breach notification obligations.