Privacy ops,
inside your control framework.
The privacy team's claims rest on controls the security team runs — residency, encryption, audit logging, egress, incident response. Ghost is built to sit inside that model, not around it: a privacy workspace whose evidence surfaces map to the questions a security review actually asks.
EU-hosted · Append-only audit log · Webhook event stream · Time-limited signed links · RLS-enforced access.
Where security gets pulled in
Land. Operate. Audit. Egress.
New privacy tool? Has to clear the framework. DSAR? Needs data the privacy team doesn't directly administer. New system? DPIA wants technical review. Breach? Privacy and security have to interoperate without losing the trail. Ghost is designed to land inside the model, not bolt around it.
Step 01
Land in the control framework
EU hosting, encryption at rest and in transit, RLS-enforced access, signed and time-limited disclosure links, append-only per-org audit log. The control surface your review process already evaluates.
Step 02
Operate without privileged access
The privacy team runs the workspace. No agents on your hosts. No privileged access to your infrastructure. Webhook events flow outbound to systems you control.
Step 03
Audit on demand
Every action — case state, redactions, disclosures, register edits, DPIA sign-offs — is timestamped and append-only. The log is the canonical record when an internal review, regulator, or incident response asks how a decision was made.
Step 04
Egress is controlled
Response packs delivered via signed, time-limited URLs — not by emailing the file. Links revoked or re-issued as needed. Disclosure is an observed egress point, not an attachment that left the perimeter unobserved.
Append-only audit log
Per-org, immutable, scoped.
Every action in the workspace is written to a timestamped, append-only event log scoped to your organisation. The log is the canonical record when a regulator, an internal auditor, or your own incident response asks how a decision was made.
- Append-only per-org event log
- Case state, redactions, disclosures, register edits
- DPIA sign-offs and identity verification recorded
- Audit pack export on demand
Webhook-based event export
Privacy events into the surfaces you already run.
Workspace events can be delivered outbound to Slack, Microsoft Teams, or a custom HTTPS endpoint on Pro and Team plans. Endpoint URLs are stored as vault-backed secrets; delivery is logged. Where your security team operates its own log aggregation or alerting destination, the privacy event stream points at it.
- Outbound webhooks to Slack / Teams / custom HTTPS
- Vault-backed endpoint secrets
- Delivery is logged
- No Ghost-side privileged access to your infrastructure
Bounded redaction pipeline
Manual stays local. AI stays ephemeral.
Manual redaction is available on every plan and never sends document content through a detection pipeline. AI-assisted detection on Solo DPO and DPO Team runs in isolated, ephemeral workers; unmasked PII text and OCR output are not retained from the detection pipeline. Your security review evaluates the two paths separately.
- Manual redaction: client-side, files stay in your browser
- AI-assisted detection: isolated ephemeral workers
- Unmasked PII / OCR output not retained
- Time-limited signed delivery links as an egress control
See it end to end
A short walk-through of the workspace.
Redaction, privacy requests, and the audit log — in about three minutes.
What security teams ask us first
Three questions every CISO review raises.
“Does this need privileged access to our infra?”
No. Ghost operates as a bounded workspace. Event flow leaves through outbound webhooks you configure and revoke. No agents on your hosts; no inbound access to your environments.
“What does the audit log actually record?”
Per-org, append-only event log. Case state, redactions, disclosures, identity verification, register edits, DPIA sign-offs. The log is the canonical record on every module.
“Where does the AI pipeline retain data?”
It doesn't. AI-assisted detection runs in isolated, ephemeral workers; unmasked PII text and OCR output are not retained from the detection pipeline. Manual redaction never sends content through it at all.
Pricing
Plans that map to control reviews.
Start free. Move to Team for webhooks, RBAC, and the full evidence surface.
Free
Spin up a workspace and evaluate the controls before you commit.
- 1 active case
- Manual redaction (PDF, up to 5 pages/file)
- 10 redactions per month
- 1 Article 30 register entry
Solo DPO
For a security-adjacent privacy lead running the programme themselves.
- Unlimited cases and redactions
- AI-assisted PII detection (ephemeral pipeline)
- Append-only audit log + Article 30 register
- €39/mo billed annually (save 20%)
DPO Team
For security, privacy, and engineering sharing the workspace.
- Up to 10 seats (€10/extra seat)
- Role-based access enforced at the database
- Outbound webhooks (Slack / Teams / custom HTTPS)
- Procurement-friendly evidence pack on request
- €119/mo billed annually
Compare every feature on the full pricing page.
FAQ
Frequently asked questions
A privacy tool the security team can defend.
Stand up a privacy workspace inside the control framework you already run. 30-day free trial — no credit card, EU-hosted.
The regulatory landscape behind the controls
The reason the security team is in the room at all comes back to a handful of articles in Regulation (EU) 2016/679 (GDPR) and, in the UK, the Data Protection Act 2018. Article 25 requires data protection by design and by default — a system-level obligation that lands directly on architecture choices the security and engineering teams own. Article 32 requires security of processing appropriate to the risk, including the ongoing confidentiality, integrity, availability, and resilience of processing systems.
Articles 33 and 34 set the breach notification timelines — 72 hours to the supervisory authority where feasible, and notification to the data subject without undue delay where the risk is high. The Breach Register in Ghost is where the privacy team's record of an incident lives, with the notification drafts and deadlines attached. It does not replace the security team's own incident management; it links to it.
Supervisory authorities — ICO in the UK, CNIL in France, the Irish DPC for many large platforms — assess controllers against the same article-level obligations regardless of which tools the controller chose to run them in. Ghost does not provide legal advice. It provides the operational surface beneath the legal and security advice the organisation is already getting.