GDPR-Aligned Document Management — with Data Residency Enforcement, Retention Controls, Data Subject Rights Workflows, and Processing Audit Trails on AWS Infrastructure You Control
The General Data Protection Regulation (GDPR) and UK GDPR impose specific obligations on how organisations collect, process, store, and delete personal data — including personal data contained in documents. Every document that contains a name, an address, an employee number, a customer identifier, or any other information that relates to an identified or identifiable person is a document that GDPR governs. And the regulation doesn't just require that personal data be protected — it requires that organisations can demonstrate how it's protected, where it's stored, why it's retained, and how long it will be kept.
FormKiQ provides document management on AWS with the data residency controls, retention enforcement, data subject rights workflows, and processing audit trails that GDPR requires — deployed into your own AWS account in the European region you select. Your personal data stays in your environment, in your region, encrypted with your keys, and governed by retention policies and access controls you define and audit.
What GDPR Requires for Document Management
GDPR is built on seven core principles that govern all personal data processing. For document management, each principle translates into a specific operational requirement — and crucially, the accountability principle (Article 5(2)) means organisations must not just comply, but demonstrate compliance through documented evidence. This is where most document management platforms fall short: they may protect data, but they don't produce the evidence trail that GDPR accountability demands:
| GDPR Principle | Article | Document Management Requirement | FormKiQ Capability |
|---|---|---|---|
| Lawfulness, fairness, transparency | Art. 5(1)(a) | Process personal data lawfully; document the legal basis for processing | Metadata schemas for recording legal basis per document or document collection; processing audit trails |
| Purpose limitation | Art. 5(1)(b) | Collect personal data for specified, explicit purposes; don't process for incompatible purposes | Classification by purpose; access controls limiting who can access documents and for what purpose |
| Data minimisation | Art. 5(1)(c) | Collect only personal data adequate, relevant, and limited to what is necessary | Document-level metadata supporting minimisation reviews; AI-powered sensitivity classification |
| Accuracy | Art. 5(1)(d) | Keep personal data accurate and up to date | Document versioning; rectification workflows |
| Storage limitation | Art. 5(1)(e) | Retain personal data only as long as necessary for the purpose | Configurable retention policies with automatic enforcement and defensible disposition |
| Integrity and confidentiality | Art. 5(1)(f) | Protect personal data against unauthorised processing, loss, destruction, or damage | KMS encryption, ABAC, audit trails, antivirus scanning |
| Accountability | Art. 5(2) | Demonstrate compliance with all of the above | Complete audit trails, retention evidence, access logs, processing records — all within your AWS account |
Data Residency and Regional Deployment
GDPR requires that personal data of EU residents is protected regardless of where it is processed — and many organisations interpret this as requiring that personal data remain within the EU or EEA. FormKiQ supports this through regional deployment on AWS.
All FormKiQ components — document storage (S3), metadata (DynamoDB), search indexes (OpenSearch), audit logs (CloudTrail), and AI processing (Bedrock with inference region controls) — deploy to the region you select. Personal data does not leave your chosen region unless you explicitly configure cross-region access.
| AWS Region | Location | GDPR Context |
|---|---|---|
| eu-central-1 | Frankfurt, Germany | GDPR + German BDSG; preferred for German data localisation requirements |
| eu-west-1 | Ireland | GDPR; common choice for EU-wide deployments |
| eu-west-2 | London, UK | UK GDPR post-Brexit; suitable for UK-specific data residency |
| eu-west-3 | Paris, France | GDPR + French CNIL requirements |
| eu-north-1 | Stockholm, Sweden | GDPR + Nordic data protection requirements |
| eu-south-1 | Milan, Italy | GDPR + Italian healthcare and financial services requirements |
Data Subject Rights and Document Management
GDPR grants data subjects specific rights that directly affect document management. Fulfilling these rights requires the ability to search across document repositories by data subject identifier, compile responsive documents, execute corrections or deletions, and produce audit evidence of each action taken. Organisations that manage personal data in unstructured storage — shared drives, email, or SaaS attachments — struggle to fulfil these rights reliably because they cannot systematically identify which documents contain a given individual's personal data. FormKiQ's metadata and search architecture makes data subject rights operationally achievable:
| Data Subject Right | Article | What It Requires | FormKiQ Support |
|---|---|---|---|
| Right of access | Art. 15 | Provide the data subject with a copy of their personal data and information about how it is processed | Full-text and metadata search by data subject identifier across the repository; document compilation workflows; governed delivery |
| Right to rectification | Art. 16 | Correct inaccurate personal data without undue delay | Document versioning; rectification workflows with audit trail recording the correction, reason, and timestamp |
| Right to erasure | Art. 17 | Delete personal data when no longer necessary, consent withdrawn, or processing unlawful | Erasure request workflows; targeted deletion with audit-logged disposition; legal hold override where retention obligations apply |
| Right to restriction | Art. 18 | Restrict processing in specified circumstances (accuracy contested, processing unlawful, etc.) | Metadata-based restriction flags; access controls that limit processing while maintaining storage |
| Right to data portability | Art. 20 | Provide personal data in a structured, commonly used, machine-readable format | API-based export; structured metadata export; standard document formats |
| Right to object | Art. 21 | Object to processing based on legitimate interests or direct marketing | Processing restriction workflows; classification-based processing controls |
Erasure vs. Retention
The right to erasure does not override legal retention obligations. FormKiQ manages this through configurable rules:
- Erasure-eligible documents — documents where no overriding retention obligation exists are deleted with audit-logged disposition when an erasure request is validated
- Retention-protected documents — documents subject to legal, contractual, or regulatory retention obligations are retained with the erasure request documented alongside the retention justification
- Partial erasure — where only some personal data within a document needs to be erased, redaction or anonymisation workflows can be applied with audit trail
Records of Processing Activities (ROPA)
GDPR Article 30 requires organisations to maintain records of processing activities — a comprehensive register documenting what personal data is processed, why, by whom, for how long, and with what safeguards. Maintaining a ROPA in a spreadsheet is common but fragile — it disconnects the register from the actual processing activities it describes. FormKiQ's metadata and audit trail architecture allows ROPA elements to be derived from the platform's own operational data rather than maintained as a separate, manually updated register:
| ROPA Element | Article 30 Requirement | FormKiQ Support |
|---|---|---|
| Purposes of processing | Describe the purposes for which personal data is processed | Classification metadata recording the purpose per document collection |
| Categories of data subjects | Identify whose personal data is processed | Metadata schemas for data subject categories (employees, customers, patients, applicants) |
| Categories of personal data | Identify what types of personal data are processed | AI-powered sensitivity classification; metadata tagging for data categories |
| Recipients | Identify who receives personal data | Access audit trails recording who accessed each document; distribution logs |
| Transfers to third countries | Document any transfers outside the EU/EEA | Data residency enforcement; regional deployment controls; transfer documentation |
| Retention periods | Describe how long personal data is retained | Configurable retention policies by document type and purpose; retention schedule documentation |
| Security measures | Describe technical and organisational security measures | Encryption (KMS), ABAC, audit trails, antivirus — all documented in deployment configuration |
AI Processing and GDPR
AI processing of documents containing personal data raises specific GDPR concerns — particularly around data residency during processing, third-party data sharing, automated decision-making, and purpose limitation. These concerns have caused some organisations to avoid AI-powered document processing entirely, which means they miss the operational benefits of automated classification, extraction, and analysis. FormKiQ addresses each of these concerns through Amazon Bedrock's architecture, which keeps all AI processing within your AWS account under your regional and purpose controls:
| GDPR Concern | How FormKiQ Addresses It |
|---|---|
| Data residency during AI processing | Inference region controls specify which AWS regions are used for Bedrock processing — keeping personal data within your selected EU/EEA region |
| No third-party data sharing | AI processing runs within your AWS account through Bedrock — personal data is not sent to external AI services or shared with third parties |
| Personal data identification | AI-powered sensitivity classification identifies documents containing personal data at the point of ingestion — enabling appropriate classification and access controls |
| Automated decision-making transparency | AI outputs (classification, extraction, analysis) include confidence scores and are routable to human review queues — supporting Article 22 requirements for meaningful human oversight |
| Purpose limitation for AI processing | AI processing can be configured per document type and workflow — ensuring personal data is not processed by AI beyond the specified purpose |
Compliance Documentation
GDPR's accountability principle means that compliance isn't just about implementing the right controls — it's about maintaining evidence that those controls exist, are documented, and are being followed. This evidence takes the form of specific document types that supervisory authorities expect to see during investigations or audits. FormKiQ manages these compliance documents within the same governed platform that manages the personal data they relate to, creating a self-reinforcing evidence chain:
| Documentation Type | What It Covers | FormKiQ Support |
|---|---|---|
| Data protection policies | Organisational policies governing personal data handling | Policy lifecycle management with version control, approval workflows, and acknowledgment tracking |
| Data protection impact assessments (DPIAs) | Assessment of processing activities that present high risk to data subjects | DPIA documents stored with version control, review tracking, and retention |
| Consent records | Evidence of data subject consent where consent is the legal basis | Consent documents stored as governed records with timestamp, consent scope, and withdrawal tracking |
| Data processing agreements (DPAs) | Agreements with processors governing personal data handling | DPA lifecycle management — drafting, approval, eSignature, obligation tracking |
| Breach notification records | Documentation of personal data breaches, impact assessments, and notification to authorities and data subjects | Incident documentation workflows with required elements and timeline tracking |
| Training records | Evidence that workforce members have been trained on data protection | Training acknowledgment tracking per employee |
Who Uses GDPR Document Management on AWS
GDPR applies to any organisation that processes personal data of individuals in the EU or EEA — regardless of where the organisation itself is located. This means that the regulation's document management requirements extend to multi-national corporations, financial institutions, healthcare providers, technology companies, research institutions, and public sector bodies across the globe. The common thread is the need for document management infrastructure that can enforce data residency, demonstrate accountability, and operationalise data subject rights:
| Organisation Type | GDPR Document Management Needs | Key Drivers |
|---|---|---|
| Multi-national corporations | Employee, customer, and vendor personal data across EU/EEA operations; cross-border data transfer management | GDPR + national implementations; multi-jurisdiction data residency |
| Financial services | Client personal data in KYC, account, and transaction documentation; regulatory correspondence | GDPR + national financial regulatory requirements |
| Healthcare organisations | Patient personal and health data in clinical, administrative, and research documentation | GDPR + national health data legislation |
| Technology and SaaS | Customer personal data in service delivery; employee data across EU operations; data processing agreement management | GDPR; customer DPA requirements; SOC 2 |
| Higher education and research | Student, staff, and research subject personal data; research ethics compliance | GDPR; national education legislation; research ethics frameworks |
| Public sector | Citizen personal data in service delivery, regulatory, and administrative documentation | GDPR + national public sector data protection requirements |
| Professional services | Client personal data in engagement documentation; multi-jurisdiction client files | GDPR; professional regulatory requirements; client confidentiality |
FormKiQ Editions for GDPR Document Management
| Capability | Core | Essentials | Advanced | Enterprise |
|---|---|---|---|---|
| Document Storage (S3) & API | ✓ | ✓ | ✓ | ✓ |
| Tagging, Search & Classification | ✓ | ✓ | ✓ | ✓ |
| OCR (Tesseract) | ✓ | ✓ | ✓ | ✓ |
| OCR & IDP (Textract) | ✓ | ✓ | ✓ | |
| SSO (SAML — Entra, Google, Auth0) | ✓ | ✓ | ✓ | |
| Workflows, Queues & Rulesets | ✓ | ✓ | ✓ | |
| Encryption (KMS — in-transit & at-rest) | ✓ | ✓ | ✓ | |
| Document Control & Versioning | ✓ | ✓ | ✓ | |
| Antivirus & Anti-Malware | ✓ | ✓ | ✓ | |
| AI Processing & Sensitivity Classification (Bedrock) | ✓ | ✓ | ||
| Document Generation | ✓ | ✓ | ||
| eSignature Integration | ✓ | ✓ | ||
| Enhanced Full-Text Search (OpenSearch) | ✓ | ✓ | ||
| Inference Region Controls | ✓ | ✓ | ||
| Multi-Instance & Multi-Region Licensing | ✓ | ✓ | ||
| Vendor-Managed & Hybrid Deployment | ✓ | |||
| Custom SLAs & Compliance Consulting | ✓ | |||
| Support | Community (Slack & GitHub) | Support Portal (2-business-day SLA) | Private Slack + videoconference + 40 hrs onboarding | Rapid response (8-business-hour SLA) + strategic architecture support |
Deployment Models
| Model | Description | Availability |
|---|---|---|
| Customer-Managed AWS | Deploys directly into your AWS account via CloudFormation. Full control of infrastructure, networking, encryption keys, and operations. | All editions |
| Vendor-Managed | FormKiQ manages the AWS infrastructure on your behalf — deployment, updates, and operational support. | Enterprise |
| Hybrid | You retain control of specific components (encryption keys, network config) while delegating operational management to FormKiQ. | Enterprise |
Every deployment is a dedicated, isolated instance. FormKiQ does not operate a shared multi-tenant environment.
Getting Started
FormKiQ Core can be deployed to your AWS account in an EU region in fifteen to twenty minutes. GDPR-aligned capabilities — including KMS encryption, ABAC, AI-powered sensitivity classification, inference region controls, and data subject rights workflows — are available on FormKiQ Essentials, Advanced, and Enterprise.
Frequently Asked Questions
Is FormKiQ GDPR-certified?
There is no formal GDPR certification. GDPR compliance is the responsibility of data controllers and processors — demonstrated through the implementation of appropriate technical and organisational measures. FormKiQ provides the technical measures (encryption, access controls, audit trails, data residency enforcement, retention controls) and supports the organisational measures (policies, DPIAs, processing records, data subject rights workflows) within a platform deployed in your own AWS account in your chosen EU region.
Where is personal data stored?
Personal data is stored in Amazon S3 within your own AWS account, in the AWS region you select. FormKiQ supports six EU regions (Frankfurt, Ireland, London, Paris, Stockholm, Milan). All components — storage, metadata, search indexes, audit logs, and AI processing — deploy to your selected region.
How does FormKiQ handle the right to erasure?
FormKiQ supports erasure request workflows that identify documents containing the data subject's personal data, evaluate whether overriding retention obligations apply, execute deletion for erasure-eligible documents with audit-logged disposition, and document the retention justification for any documents that cannot be erased. Partial erasure through redaction or anonymisation is also supported.
How does FormKiQ support cross-border data transfers?
FormKiQ's regional deployment ensures personal data remains in your selected EU region. For organisations that need to manage documents across regions (EU and non-EU operations), multi-instance and multi-region licensing on Advanced and Enterprise editions allows separate deployments in different regions — with each instance containing only the personal data appropriate for that region.
Can FormKiQ process personal data with AI while maintaining GDPR compliance?
Yes. FormKiQ's AI processing through Amazon Bedrock runs within your AWS account with inference region controls that keep personal data within your selected EU region. AI processing can be configured per document type and purpose, supporting purpose limitation. AI outputs include confidence scores and can be routed to human review, supporting Article 22 transparency requirements. Personal data is not shared with external AI services.