Security

How Ghost keeps your data safe.

Last updated April 2026

Overview

Ghost is a privacy compliance platform with document redaction, a Article 30 Register, a Privacy Request Manager (DSAR Manager), and a Compliance Hub (incident register, DPIAs, third-party register, legitimate interest assessments, retention schedules, consent records, training records, and policy management). Security architecture varies by tool and plan tier. This page describes how each component handles your data.

Document processing pipeline

Ghost offers two processing paths:

Manual redaction (all tiers when cloud detection is off, including Free): You draw redaction boxes in the browser. Document content is not sent through our detection pipeline. Export renders entirely in your browser.
Cloud-assisted detection (Pro/Team, when enabled for your organisation): Documents are encrypted in the browser before upload. Encrypted payloads are processed in isolated, ephemeral workers using vision models (page images) with PDF text-layer matching and OCR fallback where needed. Workers are stateless — document content is auto-deleted immediately after processing. Detection results are returned for review in the browser. Final redacted exports render and download in your browser.

In both paths, we do not retain unmasked PII text or OCR output from the detection pipeline. When cloud-assisted detection is enabled, encrypted document bytes may be stored to support processing, save/resume, and linked workflows. Redaction session metadata (file name, page count, detection counts, masked previews, and box coordinates) may also be stored. Final redacted exports from the redaction tool are not stored unless you add them to another workflow, such as a privacy request response pack.

Privacy Request Manager storage

Case metadata: Stored in our encrypted EU database. Includes requester details, deadlines, task assignments, correspondence records, and append-only audit logs with actor email.
Response packs: Only already-redacted response packs are stored (never originals), including multi-file packs linked to redaction sessions. Files are encrypted at rest in S3-compatible storage and delivered to individuals via time-limited signed URLs.
Identity verification documents: Encrypted at rest, retained only for the duration of the case, and purged by automated retention crons.

Compliance Hub storage

All Compliance Hub data is stored in our encrypted EU database, scoped to your organisation and protected by the same row-level security policies as other platform data.

Incident register: Incident narratives, severity classifications, Article 33/34 notification drafts, DPC notification deadlines, optional links to privacy request cases, and append-only event logs.
Impact assessments (DPIAs): Assessment records, identified risks, mitigations, links to Article 30 register activities, approval status, and event history.
Third-party register: Third-party details, agreement status, and contact information.
LIAs, retention schedules, consent records, training records, and policy documents: Stored in the EU database with organisation-scoped access.
Compliance pack exports: Org-wide compliance ZIPs are generated on demand with a time-limited download token (token hash stored in the database). Expired exports are purged automatically.

Authentication and access control

We use magic link authentication (no passwords). Sessions are stored in HTTP-only cookies. API calls are authenticated server-side. Organisation membership and role-based access (Admin, Operator, Read-only) are enforced via row-level security policies at the database level.

On the Team plan, role permissions can be customised with escalation guards that prevent granting powers above a role's tier ceiling. Where enabled, client-level access control restricts team members to specific clients or matters within the organisation.

Webhook integrations

Pro and Team plan organisations can configure outbound webhook integrations to Slack, Microsoft Teams, or custom HTTPS endpoints. Webhook endpoint URLs are stored as vault-backed secrets. Delivery logs (event type, timestamp, HTTP status) are retained for debugging and retry. Event payloads contain case or breach metadata — you are responsible for the data handling practices of third-party destinations you configure.

What we store

Account email and organisation details for authentication and access control.
Signup details (email, firm size).
Usage counts (IP + fingerprint hash) for quota enforcement.
Redaction session metadata (file name, hash, page count, masked PII previews, detection counts, box coordinates).
For cloud-assisted sessions, encrypted uploaded document bytes referenced by storage path for processing, save/resume, and linked workflows.
Privacy request case metadata, tasks, audit logs (with actor email), correspondence records, and notification preferences.
Privacy request response packs and identity verification documents (encrypted, in S3).
Processing inventory records.
Compliance Hub records: incident register, DPIAs, third-party entries, LIAs, retention schedules, consent records, training records, policy documents, and compliance pack download tokens.
Client/matter records including regulatory profile fields (supervisory authority, breach export boilerplate) and optional client membership assignments.
Webhook integration configuration (vault-backed secrets) and delivery logs.
Org-level audit logs recording administrative operations with actor email and timestamps.
Team member emails and role assignments.

We do not retain unmasked PII text or OCR output from the detection pipeline. Final redacted PDFs from the redaction tool are not stored unless you add them to another workflow, such as a privacy request response pack.

Data retention

Cloud-assisted redaction uploads (Pro/Team): Encrypted document bytes may be stored while the session remains active to support processing, save/resume, and linked workflows. Worker-side processing content is deleted when detection completes. Uploaded encrypted files are removed by session deletion and retention cleanup flows.
Privacy request data: Retained per your organisation's configured retention period. Automated crons purge expired cases, identity documents, and response packs. Deadline reminders run separately.
Redaction sessions: Retained while your account is active. Automated session retention crons purge old sessions. You can delete sessions manually at any time.
Compliance Hub data: Retained while your account is active. Compliance pack exports are purged automatically after their download token expires. Breach DPC reminder crons run independently.
Account data: Deleted upon account deletion request.

Infrastructure

Database: EU-hosted, encrypted at rest and in transit, with row-level security.
AI detection workers: Ephemeral and isolated, processing client-encrypted payloads for optional AI-assisted detection.
File storage: Encrypted at rest, access-controlled via time-limited signed URLs.
Payments: PCI DSS–compliant payment processor.
Email: Transactional email provider for notifications, privacy request correspondence, and breach DPC reminders.
Error monitoring: Application error tracking for service reliability.

A current list of specific sub-processors is available on request — see our Privacy Policy.

Compliance

Our architecture is designed to support GDPR and CCPA workflows with bounded processing, minimal data collection, automated retention and deletion where configured, role-based access control with customisable permissions, client-level access scoping, append-only audit logs, org-wide compliance pack exports, and EU-hosted infrastructure. The processing model is intended to help privacy teams document subprocessors and controls for Article 30 register and DPIA purposes.