Audit-ready evidence.
Before the auditor asks.
The same processing activity, the same vendor, the same incident has to answer to GDPR, sectoral rules, customer security questionnaires, and the next board paper. Ghost records the fact once and produces the framework-specific view on demand.
EU-hosted · Append-only audit log · One source for the evidence customers, auditors, and regulators ask for.
The compliance lead operating loop
Map. Operate. Evidence. Answer.
Each framework wants its own copy. Each copy drifts. You spend the gap between audits reconciling. Ghost records the fact once and reads framework-specific views off the same record — quarterly review becomes confirmation, not discovery.
Step 01
Map activities, vendors, incidents
Article 30 register at the centre. Third-Party Register for processors and sub-processors. Breach Register for incidents. Each fact recorded once, with relationships preserved.
Step 02
Operate against statutory clocks
DSARs through a branded intake with identity verification and Article 12 deadlines tracked. DPIAs with structured sign-off. Breach Register with the Article 33 clock.
Step 03
Evidence continuously
Every change to every record is timestamped and immutable. Sign-off chains move faster because evidence is already assembled. The audit log is the canonical record.
Step 04
Answer on demand
Export the evidence pack a customer questionnaire wants, the artefact set an auditor needs, or the board paper for the next quarterly review — from the same source operations maintains.
Article 30 register at the centre
One record. Many views.
Processing activities aligned to Article 30, with lawful basis under Article 6 and 9, retention schedules, vendor relationships, and DPIA links. When a customer questionnaire asks how a specific data flow is governed, the answer is already linked together.
- Lawful basis and Article 9 condition per activity
- Retention schedules linked to activities
- Vendor and processor links from the activity
- PDF and Excel export for customer questionnaires
Third-Party Register and DPIAs
Vendor posture and assessments — joined up.
Processors and sub-processors with transfer mechanisms, contractual clauses, due-diligence artefacts, and renewal dates. Each vendor links to the activities it touches and the incidents it has been involved in. DPIAs and LIAs sit alongside, tied to the same activities.
- Vendor posture per processing activity
- Transfer mechanism per vendor (SCCs, DPF, etc.)
- Due-diligence and renewal tracking
- DPIAs and LIAs tied to activities
Breach Register, DSARs, and append-only audit log
Evidence that survives an audit, a complaint, and a procurement review.
Incidents logged against the Article 33 timeline with notification status, affected categories, and remediation tracking. Subject access requests through a branded intake with identity verification, deadline tracking, and time-limited delivery. One append-only audit log across everything.
- Breach Register with Art. 33 timeline tracking
- DSAR workflow with manual + AI-assisted redaction
- Append-only timeline per record
- Audit pack export for any framework view
See it end to end
A short walk-through of the workspace.
Redaction, privacy requests, and the audit log — in about three minutes.
What compliance leads ask us first
Three questions every risk lead raises.
“Does this certify us?”
No. Certification is the auditor's call. Ghost produces the artefacts the audit assesses, exposed as a single evidence pack — the underlying facts the auditor would otherwise ask you to reconstruct.
“Does this replace our GRC tool?”
No. GRC tools sit beside Ghost; Ghost owns the privacy and processing-evidence layer. Outbound webhooks deliver events into GRC, ITSM, or SIEM destinations on DPO Team.
“What about Article 32?”
Ghost contributes specific controls — EU hosting, encryption at rest and in transit, append-only audit log, time-limited disclosure links, configurable retention. It does not on its own constitute Article 32 compliance.
Pricing
Plans for compliance functions of every size.
Start free. Bring the team into the same workspace as the programme matures.
Free
Try the inventory and a single request before you commit.
- 1 active case
- Manual redaction (PDF, up to 5 pages/file)
- 10 redactions per month
- 1 Article 30 register entry
Solo DPO
For a single compliance lead running the privacy and evidence layer.
- Unlimited cases and redactions
- AI-assisted PII detection
- Full Compliance Hub (DPIAs, LIAs, breach, third-party)
- €39/mo billed annually (save 20%)
DPO Team
For compliance, privacy, security, and audit sharing the work.
- Up to 10 seats (€10/extra seat)
- Role-based access (Admin, Operator, Read-only)
- Outbound webhooks for GRC / SIEM / ITSM
- External auditors can be invited
- €119/mo billed annually
Compare every feature on the full pricing page.
FAQ
Frequently asked questions
The next questionnaire won't wait for your next reconciliation.
Keep one record, read off many views. 30-day free trial — no credit card, EU-hosted.
The regulatory landscape compliance leads operate in
For organisations processing personal data, the accountability principle in Article 5(2) of Regulation (EU) 2016/679 (GDPR) sets the tone for the whole role: the controller must be able to demonstrate compliance, not merely achieve it. Article 24 puts that obligation on the controller in operational terms; Article 30 defines the record of processing that is, in practice, the central evidence artefact a compliance lead is asked for first.
Article 32 covers the security of processing — encryption, integrity, availability, and the ability to restore. Ghost contributes specific controls (EU hosting, encryption in transit and at rest, append-only audit log, time-limited disclosure links, configurable retention) but does not, on its own, constitute compliance with Article 32. Article 33 governs breach notification timelines, and Article 35 governs when a DPIA is required.
In the UK, the equivalent regime is the UK GDPR and the Data Protection Act 2018, supervised by the ICO. Sectoral supervisors — the FCA and PRA in UK financial services, HHS OCR in US healthcare, the CNIL in France, the DPC in Ireland — layer their own evidence expectations on top of the privacy baseline. Ghost does not provide legal advice.