How does Ghost handle the controller vs processor split?

Requests against the platform's own data — from customers' employees, billing contacts, and prospects — run as controller flows. Requests forwarded by a customer against their own tenant run as processor flows, with the customer named, the tenant scoped, and the response routed back to the customer for onward disclosure. Both share the same deadline tracking, response pack assembly, and time-limited delivery links.

Can we embed the intake form on our trust centre?

Yes. The intake form is brandable and embeddable on your platform's privacy page or trust centre. End users select the request type, the form captures the data needed to scope the request, and identity verification runs before any data is disclosed.

How do CCPA and GDPR deadlines work in one workspace?

Deadlines are configurable per intake form, so a single deployment can run a one-month GDPR clock under Article 12 alongside a 45-day CCPA window on a separate matter without the operator needing to remember which is which. Tags and intake-source attribution mean the case carries its own deadline rules.

Where does the sub-processor register fit?

The Third-Party Register holds the platform's sub-processors, the data categories they handle, the regions they operate in, and the contractual basis for transfer. Customers asking for a current list during procurement or renewal can be answered from the same source the operations team maintains.

Can webhooks deliver privacy events to our own systems?

Yes — on DPO Team. Workspace events (case created, identity verified, disclosure delivered, register updated) can be delivered outbound to Slack, Microsoft Teams, or a custom HTTPS endpoint. Endpoint URLs are stored as vault-backed secrets and delivery is logged.

How much does it cost?

Free: 1 active case, manual PDF redaction up to 5 pages per file, 10 redactions per month. Solo DPO is €49/month for one user; DPO Team is €149/month with up to 10 seats, AI-assisted redaction, webhooks, and the full Article 30 register. Annual billing saves ~20%.

Ghost

For SaaS and platforms

Privacy at platform scale.
Tenant-aware.

You're a controller of your customers' employees and a processor of their end users on the same day, against the same backend. Ghost is built for the split — public intake, controller and processor flows kept separate, sub-processor register customers can be pointed at.

EU-hosted · Append-only audit log · Outbound webhooks · Configurable deadlines per regime.

Start 30-day free trial Try the redaction demo

Ghost — End-user privacy request

Ghost privacy request workspace: case detail with identity verification, tasks, and documents

1 month

GDPR Article 12 default

45 days

CCPA default window

Multi-tenant

Controller and processor flows

Hosted infrastructure

The platform privacy workflow

Intake. Scope. Redact. Deliver.

End users hit the intake form. The case routes to the right flow — controller or processor, GDPR or CCPA. Ghost holds the deadline, the redaction, the disclosure, and the audit trail customers and procurement keep asking about.

Step 01

Intake (per regime)

Branded, embeddable intake forms with the right deadline rules per matter — one-month GDPR on one, 45-day CCPA on another. Identity verification before disclosure.

Step 02

Scope: controller or processor

Requests against the platform's own data run as controller flows. Requests forwarded by a customer against their tenant run as processor flows — customer named, tenant scoped, response routed back.

Step 03

Redact inside the export

Mask end-user identifiers, third parties, and free-text personal data caught up in the response pack. AI-assisted detection on Solo DPO and DPO Team; manual redaction on every plan.

Step 04

Deliver and evidence

Time-limited disclosure link. Append-only audit log of every step. Outbound webhooks (DPO Team) for SIEM, chat, or ITSM destinations.

Public intake for end users

A request route that scales past a shared inbox.

Branded, embeddable intake that sits on your platform's privacy page or trust centre. End users select the request type. Deadlines are configurable per intake form so a single deployment handles multiple regimes without the operator remembering which is which.

Brandable, embeddable intake form
Identity verification before any disclosure
Configurable deadlines per regime
Tenant scoping and processor routing

Explore privacy requests

Ghost — Privacy request manager

Ghost privacy request workspace showing intake, identity verification, tasks, and documents on a single case

Redaction inside the response pack

Free-text PII caught and cleared, in your browser.

Upload CSV exports, PDF reports, free-text fields. Ghost detects names, identifiers, and contact details inline. PDF rendering and redaction are client-side; files do not leave the browser. AI-assisted detection on Solo DPO and DPO Team for first-pass review.

PDFs, CSV exports, scanned documents
AI-assisted PII detection on Solo DPO and DPO Team
Client-side rendering — files stay in your browser
Rationale captured next to every redaction

Try the redaction demo

Ghost — Redaction

Sub-processor register and audit log

Procurement answers from the same source ops maintains.

The Third-Party Register holds your sub-processors, data categories, regions, and transfer mechanisms. The Article 30 register covers controller and processor sides. Append-only audit log on every intake, identity check, disclosure, and register update.

Sub-processor register customers can be pointed at
Article 30 register for controller and processor flows
Append-only audit log per case and per record
Webhook export to SIEM, chat, or ITSM (DPO Team)

Inside the Compliance Hub

Ghost — Compliance Hub

See it end to end

A short walk-through of the workspace.

Redaction, privacy requests, and the audit log — in about three minutes.

Ghost — Product tour

More walkthroughs and guides

What platform teams ask us first

Three questions every SaaS privacy lead raises.

“Does this handle our processor side?”

Yes. Requests forwarded by a customer against their tenant run as processor flows — customer named, tenant scoped, response routed back. Controller and processor flows share infrastructure but stay separated.

“Can we plug events into our own systems?”

On DPO Team. Workspace events are delivered outbound to Slack, Teams, or a custom HTTPS endpoint of your choice. Endpoint URLs are vault-stored secrets; delivery is logged.

“What about our sub-processor list?”

The Third-Party Register holds your sub-processors, data categories, regions, and transfer mechanisms. The list customers are pointed at during procurement is the same list ops maintains. One source.

Pricing

Plans for SaaS at every stage.

Start free. Scale when end-user volume — or customer procurement — requires it.

Free

Run a single end-user request end-to-end before you commit.

€0/forever

1 active case
Manual redaction (PDF, up to 5 pages/file)
10 redactions per month
1 Article 30 register entry

Solo DPO

For a single privacy or trust lead running the programme themselves.

€49/month

Unlimited cases and redactions
AI-assisted PII detection
Article 30 register + append-only audit log
€39/mo billed annually (save 20%)

Start 30-day trial

DPO Team

For privacy, ops, support, and security sharing the response work.

€149/month

Up to 10 seats (€10/extra seat)
Role-based access (Admin, Operator, Read-only)
Outbound webhooks for SIEM / chat / ITSM
Sub-processor register + DPA evidence pack
€119/mo billed annually

Start 30-day trial

Compare every feature on the full pricing page.

DSAR redaction at platform scale

Practical guidance on running end-user privacy requests across controller and processor flows — written for SaaS operations teams.

Read the guide

FAQ

Frequently asked questions

The next security questionnaire is in someone's inbox.

Stand up the surface customers and end users actually use. 30-day free trial — no credit card, EU-hosted.

Start Free Trial

The regulatory landscape platform teams operate in

The General Data Protection Regulation (Regulation (EU) 2016/679) sets the baseline most SaaS platforms work to. Article 4 defines the controller and processor roles the platform sits in simultaneously; Article 28 sets the contractual obligations between them and is the basis for the data processing addendum customers ask to sign. Articles 12 and 15 set the access workflow and its one-month default, Article 30 the records of processing, Article 33 the 72-hour breach notification, and Article 35 the DPIA. In the UK, the Data Protection Act 2018 sets the domestic regime, supervised by the ICO.

In the United States, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) sets a separate workflow with a 45-day default response window, administered by the California Privacy Protection Agency (CPPA). Other state regimes have followed and now sit alongside it — Colorado, Connecticut, Virginia, Utah, Texas, and others. Ghost supports configurable deadlines per intake form so a single platform can route requests under each regime without a separate intake for each.

Ghost does not provide legal advice. The mapping between a platform's product, its customer base, and the regimes that apply is a question for the privacy lead and counsel.

Privacy at platform scale.
Tenant-aware.

EU-hosted · Append-only audit log · Outbound webhooks · Configurable deadlines per regime.

Privacy at platform scale. Tenant-aware.