Skip to main content
Solutions

GDPR-Compliant
Document Management

Not just a GDPR checkbox. Every architectural decision — where data lives, how AI processes it, how encryption works — was made with EU law in mind. Because we're an EU company and this is the only way we'd build it.

Last updated: April 2026

Do You Actually Need a GDPR-Compliant DMS?

  • If your business stores documents containing personal data — names, addresses, financial details, employment records — GDPR applies to you. It does not matter whether you have 5 customers or 50,000. Enforcement reached €1.145 billion in fines during 2025 alone, and regulators are increasingly targeting SMEs, not just Big Tech.
  • A GDPR-compliant document management system does not make you compliant by itself. But it removes the technical barriers that make compliance impossible: knowing what data you hold, finding it when asked, controlling who accesses it, and deleting it when required.
  • Bottom line: If you store documents with personal data in Google Drive, Dropbox, or a shared NAS folder, you have a GDPR problem you may not be aware of. A purpose-built DMS with EU hosting, encryption, and audit trails gives you the technical foundation that the regulation requires.

The 7 GDPR Principles and What They Mean for Document Management

Article 5 of the GDPR defines seven principles that govern all processing of personal data. Every document management system you use must support these principles — or you are building compliance on a foundation that cannot hold. Here is what each principle means in practice when you store, organize, and retrieve documents containing personal data.

Principle GDPR Article Document Management Implication
Lawfulness, fairness, and transparency Art. 5(1)(a) You must have a lawful basis for storing each document containing personal data. Your DMS should make it clear what data is stored, why, and how it is processed — audit trails and activity logs serve this transparency requirement.
Purpose limitation Art. 5(1)(b) Documents collected for one purpose (e.g., fulfilling a contract) cannot be repurposed without a new lawful basis. Your DMS must not use document content for unrelated purposes — such as training AI models on your data.
Data minimisation Art. 5(1)(c) Only store documents that are adequate, relevant, and necessary. A DMS with full-text search and AI classification helps you identify redundant or unnecessary documents and remove them — instead of keeping everything "just in case."
Accuracy Art. 5(1)(d) Personal data must be kept accurate and up to date. When a data subject requests rectification under Art. 16, you need to locate every document containing their outdated information. Full-text search across your archive makes this feasible.
Storage limitation Art. 5(1)(e) Personal data must not be kept longer than necessary. This requires retention schedules and the ability to find and delete documents by date, type, and data subject. Without a DMS, enforcing retention across scattered folders is practically impossible.
Integrity and confidentiality Art. 5(1)(f) Documents must be protected against unauthorized access, accidental loss, or destruction. This means encryption at rest and in transit, role-based access controls, and infrastructure security — not just a password on a shared folder.
Accountability Art. 5(2) You must be able to demonstrate compliance — not just claim it. Audit trails that log who accessed which document, when, and what action they took are essential. If a supervisory authority asks for proof, "we follow best practices" is not an answer.

Technical Requirements for GDPR-Compliant Document Management

GDPR does not prescribe specific technologies — Article 32 requires "appropriate technical and organisational measures" based on the state of the art, cost, and risk. In practice, for document management systems handling personal data, four technical capabilities have become the baseline that supervisory authorities expect. The March 2026 EDPB standardized DPIA template (v1.0) reinforces this by requiring controllers to document these exact measures when assessing processing risk.

Encryption at Rest and in Transit

Article 32(1)(a) calls for encryption as an appropriate security measure. Industry standard is AES-256 encryption at rest and TLS 1.2+ in transit. Veluvanto uses SSE-C (Server-Side Encryption with Customer-Provided Keys) for data at rest and TLS for all data in transit. Your documents are encrypted from the moment they leave your browser to the moment they are stored — and the encryption keys are not shared with the infrastructure provider.

Access Controls and Authentication

Article 32(1)(b) requires the ability to ensure ongoing confidentiality of processing systems. In practice, this means role-based access control (RBAC): not everyone in your organization should see every document. Veluvanto implements workspace-level permissions with Admin, Editor, and Viewer roles. Each user authenticates individually — no shared logins, no anonymous access. Every action is tied to a verified identity.

Audit Trails and Processing Records

Article 30 requires controllers to maintain records of processing activities. For document management, this translates to automatic logging of who accessed which document, when, and what action they performed (view, edit, download, delete). Veluvanto maintains activity logs per workspace that serve as the foundation for your Art. 30 records. These logs are not editable and cannot be deleted by workspace members.

Data Processing Agreements and Sub-Processors

Article 28 requires a Data Processing Agreement (DPA) with every processor handling personal data on your behalf. This includes your DMS provider, their cloud infrastructure provider, and any AI services used for document processing. Veluvanto's AI processing uses Google's Gemini Enterprise API under a zero-retention data processing agreement — your documents are processed in memory and immediately discarded. They are never stored on Google's servers and never used for model training.

Handling Data Subject Requests: A 4-Step Process

Under GDPR, individuals have the right to access their data (Art. 15), request rectification (Art. 16), demand erasure (Art. 17), and obtain their data in a portable format (Art. 20). You must respond within 30 days. For businesses relying on email archives, shared drives, or paper filing, even locating all documents related to a single person can take days. A DMS with full-text search reduces that to minutes.

1

Identify: Find Every Document Containing the Data Subject's Information

Search the data subject's name, email address, or other identifiers across your entire document archive. Veluvanto's full-text search covers the contents of every document — including scanned PDFs processed with OCR. This surfaces invoices, contracts, correspondence, and any other document mentioning the individual, regardless of file name or folder location.

2

Review: Assess What Must Be Disclosed, Retained, or Deleted

Not every document must be disclosed or deleted. Legal obligations (tax retention requirements, ongoing contractual obligations) may override the right to erasure under Art. 17(3). Review the search results and categorize: documents to disclose for an access request, documents to delete for an erasure request, and documents you are legally required to retain. Document your reasoning — the accountability principle under Art. 5(2) requires it.

3

Act: Export, Rectify, or Delete — With an Audit Trail

For access requests (Art. 15): export the relevant documents in a commonly used format. Veluvanto's export provides original files plus structured metadata. For rectification (Art. 16): update or replace the inaccurate documents. For erasure (Art. 17): delete the identified documents. Every action — export, edit, deletion — is logged in Veluvanto's activity trail with timestamp and user identity.

4

Confirm: Respond to the Data Subject and Retain Proof of Compliance

Respond to the data subject within the 30-day deadline confirming what action you took. Retain the audit trail entries as proof that you fulfilled the request. If a supervisory authority later investigates, you need to demonstrate not just that you responded, but how you searched, what you found, and what you did about it. The activity log serves as that evidence.

EU vs US Hosting: Legal Implications for Document Management

The location of your document management servers is not just a technical detail — it is a legal decision with real consequences. Under the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018), US authorities can compel any US-headquartered company to hand over data stored on its servers, regardless of where those servers are physically located. This means that storing documents on Google Drive, Dropbox, OneDrive, or Notion — all US companies — exposes your data to potential US government access, even if the servers are in the EU. The Schrems II ruling (CJEU, July 2020) invalidated the EU-US Privacy Shield for exactly this reason: US surveillance laws were found to be incompatible with EU fundamental rights. The EU-US Data Privacy Framework adopted in 2023 provides a new adequacy decision, but legal challenges are ongoing, and the European Data Protection Board continues to recommend supplementary measures for any EU-to-US data transfer.

Veluvanto eliminates this legal complexity entirely. As a Czech company registered and operating under EU law, Veluvanto stores all data exclusively in EU data centers. There is no US parent company, no US subsidiary, and no corporate structure that would subject your data to the CLOUD Act. AI processing uses Google's Gemini Enterprise API under a zero-retention agreement — documents are processed in memory in the EU and immediately discarded. No personal data is transferred to or stored in the United States at any point. For organizations that need to demonstrate GDPR compliance to clients, partners, or supervisory authorities, EU-only hosting by an EU-incorporated company is the cleanest legal position available.

GDPR Compliance Checklist: How Veluvanto Measures Up

Transparency builds trust. Rather than claiming blanket compliance, here is an honest assessment of how Veluvanto addresses each key GDPR requirement for document management. Where we have gaps, we say so.

Is all data stored within the EU? — Yes. All document storage and backups are in EU data centers. No data leaves the EU. Veluvanto is a Czech company — no US parent entity, no CLOUD Act exposure.
Is data encrypted at rest and in transit? — Yes. SSE-C encryption (AES-256) at rest with customer-provided keys. TLS encryption for all data in transit. Encryption keys are not shared with the infrastructure provider.
Can data subjects exercise their rights (access, erasure, portability)? — Yes. Full data export supports portability (Art. 20). Document deletion with audit trail supports erasure (Art. 17). Full-text search enables locating all data related to a specific individual for access requests (Art. 15).
Are processing activities logged (Art. 30)? — Yes. Activity logs record who accessed, modified, or deleted each document, with timestamps. These logs are immutable and serve as the foundation for your records of processing activities.
Does AI processing comply with data protection requirements? — Yes. AI uses Google Gemini Enterprise API with a zero-retention agreement. Documents are processed in memory and immediately discarded — never stored, cached, or used for model training. The system is also designed for EU AI Act compliance.
Are automated retention and deletion policies available? — Not yet. Veluvanto does not currently offer automated retention schedules or time-based deletion rules. You can manually delete documents and use search to identify expired records, but automated enforcement of Art. 5(1)(e) storage limitation is on the roadmap, not yet shipped.
Is Veluvanto ISO 27001 or SOC 2 certified? — No. Veluvanto itself is not ISO 27001 or SOC 2 certified. Our infrastructure provider holds ISO 27001 certification. We implement security measures consistent with these standards but have not undergone independent certification. If your organization requires vendor certification, this is a gap.
Does Veluvanto provide a Data Processing Agreement (DPA) template? — Not as a self-service template. A DPA covering Veluvanto's processing of your data is available on request. We do not currently provide a pre-built DPA template for your own controller-processor relationships with third parties.

When Veluvanto Is Not the Right Choice for GDPR Compliance

Veluvanto is a document management system for freelancers, families, and small businesses. It covers the technical foundation for GDPR-compliant document storage and retrieval. But it is not an enterprise compliance platform, and there are scenarios where it is not sufficient.

You process special category data at scale (Art. 9) — If you handle large volumes of health records, biometric data, genetic data, or data revealing racial or ethnic origin, you need a system with healthcare-grade access controls, dedicated audit infrastructure, and likely sector-specific certifications (e.g., ISO 27799 for health informatics). Veluvanto's access controls are workspace-level, not field-level.
You need automated retention policies with legal hold — If your compliance program requires documents to be automatically deleted after a defined retention period — with exceptions for legal hold during litigation — you need enterprise records management software (e.g., OpenText, M-Files). Veluvanto does not yet support automated retention or legal hold functionality.
Your clients or regulators require ISO 27001 or SOC 2 certification — Some industries and enterprise procurement processes require vendors to hold ISO 27001 or SOC 2 Type II certification. Veluvanto does not have these certifications. If this is a hard requirement in your vendor selection process, Veluvanto will not pass your security questionnaire.

Being honest about limitations is part of building trust. If your needs exceed what Veluvanto offers, we would rather tell you upfront than have you discover it after migrating your documents. For most freelancers, families, and small businesses, Veluvanto provides a strong GDPR-compliant foundation. For regulated enterprises with complex compliance requirements, purpose-built enterprise platforms are the better choice.

Related Guides

Digital Document Archiving

Retention, audit trails, and long-term storage — how digital archiving supports GDPR compliance.

Document Management Software

What DMS software does, how to choose one, and why AI changes everything in 2026.

NIS2 Directive & Document Management

NIS2 and GDPR share significant documentation overlap — here is what the cybersecurity directive adds.

Frequently Asked Questions

Where exactly is my data stored?
All data is stored in EU data centers operated by EU-based infrastructure providers. Backups are stored on a separate EU provider. No data — documents, metadata, or AI processing inputs — ever leaves the European Union. Veluvanto is incorporated in the Czech Republic with no US parent company or subsidiary.
Does AI processing send my data outside the EU?
No. AI processing uses Google's Gemini Enterprise API under a zero-retention data processing agreement. Documents are processed in memory and immediately discarded — never stored on Google's servers, never cached, and never used for model training. Processing occurs within the EU.
Can I export all my data if I leave?
Yes. Veluvanto supports full data export under Article 20 (right to data portability). You receive all original documents in their original formats plus structured metadata (tags, dates, extracted entities). Standard formats, no proprietary lock-in, no need to contact support.
Is Veluvanto certified (ISO 27001, SOC 2)?
No. Veluvanto itself does not hold ISO 27001 or SOC 2 certification. Our infrastructure provider is ISO 27001 certified. We implement security measures aligned with these standards — encryption at rest (SSE-C/AES-256), TLS in transit, RBAC, immutable audit logs — but have not undergone independent certification. If vendor certification is a procurement requirement for your organization, this is a gap we are transparent about.
How does Veluvanto compare to US-hosted alternatives for GDPR?
US-hosted services (Google Drive, Dropbox, Notion, Evernote) are operated by US companies subject to the CLOUD Act, which allows US authorities to access data regardless of server location. The Schrems II ruling found this incompatible with EU fundamental rights. Veluvanto is a Czech company with data exclusively in the EU — only EU law applies. No adequacy decision, no supplementary measures, no legal uncertainty.
What happens in the event of a data breach?
Under Article 33, controllers must notify their supervisory authority within 72 hours of becoming aware of a personal data breach. Veluvanto's activity logs and access records help you assess the scope of any incident — which documents were affected, who had access, and when. As a processor, Veluvanto will notify you without undue delay if we become aware of a breach affecting your data, providing the information you need to meet your notification obligations.
Do I need to conduct a Data Protection Impact Assessment (DPIA) to use Veluvanto?
It depends on the nature and volume of personal data you process. Under Article 35, a DPIA is required when processing is "likely to result in a high risk" to individuals' rights — for example, systematic monitoring or large-scale processing of sensitive data. For most freelancers and small businesses storing invoices, contracts, and business correspondence, a DPIA is not required. The EDPB published a standardized DPIA template (v1.0) in March 2026, which simplifies the process if you do need one.
Does Veluvanto comply with the EU AI Act?
Veluvanto's AI features — document classification, metadata extraction, and the AI assistant — are designed with EU AI Act compliance in mind. The AI system is transparent (you can see what the AI extracted and modify it), does not make autonomous decisions with legal effect, and uses zero-retention processing so your documents are never used for model training. AI usage is logged and auditable.

Stop hunting for documents. Start finding them.

Free to try. No credit card required. Upgrade only when you're ready.

Try free — no card needed See Pricing

🔒 EU cloud · No credit card · 14-day money-back guarantee