Data Protection Impact Assessment — Vendor Response
Aligned to the ICO DPIA template and the EDPB DPIA template (v1, April 2026) · last reviewed 27 May 2026
Under GDPR Art. 35, the controller is responsible for completing a Data Protection Impact Assessment when processing is likely to result in a high risk to the rights and freedoms of natural persons. As Glassbreak is a processor, we cannot complete your DPIA for you — but we can pre-answer every question that depends on what we do, how we do it, and where, so that your Data Protection Officer can drop our responses directly into your workbook.
This page tracks the structure of both the ICO DPIA template(the 7-step UK template published by the Information Commissioner's Office) and the EDPB DPIA template (v1, April 2026) used across the EEA. Where the two templates ask the same question with different wording, we answer once.
Template alignment overview
ICO ↔ EDPB template mapping
4 met1 partial2 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| ICO Step 1 | Identify the need for a DPIA | N/A | Controller-side framing. We provide the technical description below to support the screening checklist. |
| ICO Step 2 / EDPB §1 | Describe the processing (nature, scope, context, purpose) | Met | Full description below: data categories, volumes, geography, special-category position, purpose, novel technology. |
| ICO Step 3 / EDPB §6 | Consultation (internal, external, data subjects, DPO) | Met | Internal: engineering + security + legal at architecture changes. External: automated daily probes, pen test in flight. Data subjects: via controller. SA consultation only if residual high risk. |
| ICO Step 4 / EDPB §2 | Assess necessity and proportionality | Met | Lawful basis, data minimisation, accuracy, storage limitation, information to data subjects, support for data-subject rights, Art. 28 processor compliance — answered below. |
| ICO Step 5 / EDPB §3 | Identify and assess risks | Met | Three EDPB feared events (illegitimate access, unwanted modification, disappearance) assessed in tables below with risk-source mapping. |
| ICO Step 6 / EDPB §4 | Measures envisaged to address risks | Partial | Mitigations in place today; tracked enhancements (SSO/SCIM, tamper-evident audit log, BYOK, mounted erasure route, external pen test, SOC 2) listed at end. |
| ICO Step 7 / EDPB §5 | Sign off and record outcomes | N/A | Controller-side activity. We supply this page as the vendor section, signed PDF on request, DPA, sub-processor list, and the in-product compliance reports. |
Do you need a DPIA?
A DPIA is mandatory under GDPR Art. 35(3) for systematic and extensive evaluation of personal aspects (profiling) producing legal or similarly significant effects; large-scale processing of special-category data or criminal-conviction data; or systematic monitoring of publicly accessible areas on a large scale.
The ICO and most national supervisory authorities additionally publish lists of operations always requiring a DPIA. Using Glassbreak as a secrets-management or emergency-comms platform does not automatically trigger any of these per se — but the controller may still choose to complete a DPIA voluntarily, and many enterprise procurement processes require one for any vendor handling authentication credentials. The honest answer for most customers is: a lightweight DPIA is a good idea; a full DPIA is required only if you plan to enter special-category data, monitor staff systematically, or otherwise trigger Art. 35(3).
ICO Step 2 / EDPB §1 — Describe the processing
Nature of the processing
6 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| NAT-1 | What is collected | Met | Account identifiers, authentication artefacts (Argon2id hash, TOTP secret, WebAuthn public keys), org/team metadata, IP + UA in audit logs, and the encrypted ciphertext of any payload the controller submits. |
| NAT-2 | Plaintext content seen by processor | Met | None. All customer-submitted content is encrypted on the data subject's device with AES-256-GCM before transmission. |
| NAT-3 | Collection channel | Met | Directly from data subject via app.glassbreak.io (web), iOS/Android, or the JSON API. No brokers, lists, or scraping. |
| NAT-4 | Storage location | Met | Per-vertical PostgreSQL (Neon aws-us-east-1; Scaleway Managed DB fr-par). Ciphertext in AWS S3 + Scaleway Object Storage. Audit logs per-vertical. |
| NAT-5 | Retention | Met | Life of subscription + 30-day post-termination window + statutory (7y billing, 12m security telemetry). Encrypted ciphertext on processor-owned schedule. |
| NAT-6 | Deletion mechanism | Met | Self-service erasure route mounted (audit finding C-12 resolved). Cryptographic erasure for shared secrets; account deletion via /legal/data-request. |
Scope of the processing
5 met3 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| SCO-1 | Nature of the data | Met | Identifying data, authentication artefacts, organisational metadata, encrypted payload data (opaque ciphertext to the processor). |
| SCO-2 | Volume | Met | Proportionate to the controller's use — typically one account per workforce member plus chosen secret/contact/message records. |
| SCO-3 | Frequency | Met | On-demand (read/write triggered by user actions) plus continuous (background sync, backup, smoke tests). |
| SCO-4 | Duration | Met | For the life of the subscription. |
| SCO-5 | Geographical area | Met | Primarily EU (Scaleway fr-par) and US (AWS us-east-1). EU-direct surface (glassbreak.cloud) keeps data end-to-end within the EU. |
| SCO-6 | Special-category data (Art. 9) | N/A | The Service is not designed for special-category data. Controller is responsible for the content it submits; processor cannot inspect encrypted ciphertext. |
| SCO-7 | Criminal-conviction data (Art. 10) | N/A | Same as Art. 9. |
| SCO-8 | Children's data | N/A | Not directed at children under 16; we do not knowingly process children's data. |
Context of the processing
6 met1 partial1 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| CTX-1 | Source of the data | Met | Directly from the data subject or their employer (the controller). |
| CTX-2 | Relationship with data subjects | Met | Employer-employee or vendor-customer where the controller has designated the data subject as a Glassbreak user. |
| CTX-3 | Data-subject control over their data | Partial | Export and erasure available; deletion typically routed via controller. Direct DSR action by processor only if controller does not respond. |
| CTX-4 | Would data subjects expect this use? | Met | Yes — using a credential-management / emergency-comms platform is a normal workforce expectation; consent via employment relationship + controller privacy notice. |
| CTX-5 | Vulnerable groups | N/A | Not designed for vulnerable groups. Controller is responsible for verifying age and capacity of provisioned users. |
| CTX-6 | Prior supervisory-authority concerns | Met | None. No SA finding has been issued against Glassbreak. |
| CTX-7 | Novel technology | Met | Hybrid post-quantum encryption (RSA-OAEP-8192 + ML-KEM-1024) and multi-cloud HMAC-signed cross-origin sync. Intended to REDUCE risk to data subjects but relatively new in commercial deployment. |
| CTX-8 | State of the art | Met | Techniques meet or exceed the state of the art for SaaS credential storage and multi-party recovery. |
ICO Step 4 / EDPB §2 — Necessity and proportionality
Necessity and proportionality
8 met2 partial1 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| NEC-1 | Lawful basis (Art. 6) | Partial | Typically Art. 6(1)(b) and 6(1)(f); 6(1)(c) for audit logs in regulated sectors. Controller is responsible for selecting and documenting. |
| NEC-2 | Special-category basis (Art. 9) | N/A | Not designed for special-category data. |
| NEC-3 | Processing achieves its purpose | Met | 22 DR scenarios and the daily security-posture snapshot provide ongoing evidence. |
| NEC-4 | Less-intrusive alternative considered | Met | Pure local storage = no recovery if device lost; paper envelopes = no audit trail, low scalability; single-admin vault = key-person risk. Quorum-recoverable encrypted-share model is least-intrusive that satisfies the operational requirement. |
| NEC-5 | Data minimisation | Met | Processor processes only what controller submits. No enrichment, profiling, or augmentation from third-party sources. Encrypted ciphertext opaque to processor. |
| NEC-6 | Accuracy | Met | Controller controls accuracy of submitted data. Data subjects can correct their profile via /secure/settings. |
| NEC-7 | Storage limitation | Met | Documented retention policy; deletion routes implemented; cryptographic erasure used wherever possible. |
| NEC-8 | Information provided to data subjects | Partial | Controller responsible for its privacy notice. Glassbreak's /privacy covers processor's own processing of controller administrative contacts. |
| NEC-9 | Data-subject rights support | Met | Access, rectification (in-product), erasure (data-request route), restriction (org suspension), portability (export route), objection (controller is primary; processor supports). |
| NEC-10 | Art. 28 processor compliance | Met | Covered by the DPA at /legal/dpa. |
| NEC-11 | International transfers (Chapter V) | Met | SCCs Module 2, UK IDTA, Swiss FADP addendum incorporated per the DPA. |
ICO Step 5 / EDPB §3 — Identify and assess risks
The EDPB methodology assesses three categories of feared events: illegitimate access to data, unwanted modification of data, and disappearance of data. For each, we identify the risk sources, the potential impact, the likelihood, and the residual risk after Glassbreak's technical and organisational measures.
Feared event 1 — Illegitimate access to personal data
2 met2 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| FE1-Src | Risk sources | N/A | External attacker (credential-stuffing, phishing, exploited vulnerability), malicious insider, accidental misconfiguration, compromised sub-processor. |
| FE1-Imp | Worst-case impact | N/A | For encrypted content: none from the processor (zero-knowledge). For administrative metadata: disclosure of org structure and access patterns; reputational impact and follow-on phishing of named individuals. |
| FE1-Mit | Mitigations in place | Met | Argon2id (t=4, m=128MB, p=2); TOTP + WebAuthn MFA; refresh-token rotation with family-based reuse detection; rate limiting; refresh-token pepper; EdDSA-with-kid JWT verify; TLS 1.2+; HSTS preloaded; least-privilege admin access; admin actions audited; coordinated disclosure programme. |
| FE1-Res | Residual risk | Met | Low for encrypted content (zero-knowledge); moderate-low for administrative metadata. |
Feared event 2 — Unwanted modification of personal data
2 met2 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| FE2-Src | Risk sources | N/A | Bug in application code, malicious insider, replay or tampering of in-flight messages, cross-vertical sync corruption. |
| FE2-Imp | Worst-case impact | N/A | Data subjects locked out; tampered audit log; corrupted encrypted ciphertext (unrecoverable but not disclosed). |
| FE2-Mit | Mitigations in place | Met | All write APIs require authentication; per-org row-level isolation; audit log on every state-changing action; AES-256-GCM authenticated encryption (tampering fails decryption); cross-vertical sync HMAC-signed (per-vertical keys, documented rotation); PR review + CI; OpenTofu plan-and-review; 22 DR scenarios test sync correctness, tampering, out-of-order delivery. |
| FE2-Res | Residual risk | Met | Low. |
Feared event 3 — Disappearance of personal data
2 met2 n/a
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| FE3-Src | Risk sources | N/A | Accidental deletion (user or processor), backup failure, single-region outage, full sub-processor failure, ransomware against shared storage. |
| FE3-Imp | Worst-case impact | N/A | Loss of access to operational secrets at the moment they are most needed; inability to recover the audit log. |
| FE3-Mit | Mitigations in place | Met | Multi-cloud topology with cross-vertical sync; per-vertical encrypted backups with integrity verified nightly; quorum-based secret recovery survives single-vertical failure; soft-delete with cryptographic erasure (recoverable for 30 days on request); DR scenarios 1, 2, 4, 6, 21, 22 test recovery paths. |
| FE3-Res | Residual risk | Met | Low. |
EDPB risk-source catalogue
3 met
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| RS-IH | Internal human risk sources | Met | Glassbreak personnel: least-privilege access, audit logging, background checks, contractual obligations. Controller's own personnel: managed by controller. |
| RS-EH | External human risk sources | Met | Third-party attackers: technical security measures above. Compromised sub-processor personnel: contractual obligations + monitoring of sub-processor incidents. |
| RS-NH | Non-human risk sources | Met | Software bugs: code review, CI testing, dependency scanning, disclosure programme. Hardware failure: serverless platform redundancy + multi-cloud. Natural disaster: geographic separation between AWS us-east-1 and Scaleway fr-par. Regulatory / political: EU-direct surface for EU-only jurisdiction. |
ICO Step 6 / EDPB §4 — Measures to reduce risk
The mitigations in the tables above are all in production today. The following are tracked enhancements that will further reduce residual risk:
Tracked enhancements (not yet in place)
1 met2 partial3 gap
| Ref | Requirement | Status | How we meet it / gap |
|---|---|---|---|
| TE-SSO | SSO and SCIM provisioning | Partial | SSO in flight (api/common/src/api/auth/sso.ts). Reduces administrative-metadata risk by automating deprovisioning on workforce changes. SCIM provisioning to follow. |
| TE-AUD | Tamper-evident audit log | Partial | In flight. Append-only triggers + hash chain + S3 Object Lock mirror under active development. |
| TE-BYOK | Customer-managed envelope keys (BYOK) | Gap | Enterprise roadmap. Removes the cryptographic-trust dependency on Glassbreak for the master envelope. |
| TE-DEL | Mounted self-service erasure route | Met | Done — audit finding C-12 resolved. |
| TE-PEN | External penetration test | Gap | In flight. Engagement and remediation cadence on the SOC 2 readiness plan. |
| TE-SOC | SOC 2 Type II | Gap | In flight; see /trust/soc-2 for current phase. |
ICO Step 7 / EDPB §5 — Sign off and record outcomes
Sign-off is a controller-side activity. To support it, we provide:
- This page as the vendor-side response, refreshed quarterly and on material change.
- A copy of this response in signed PDF form for inclusion in your DPIA workbook, on request to compliance@glassbreak.io.
- The DPA at /legal/dpa as the Art. 28 instrument.
- The sub-processor list at /legal/sub-processors.
- The technical detail at /technology/encryption and /technology/distributed.
- The internal compliance reporting available to controllers via
/secure/compliance.
Glassbreak-side DPO contact
- Privacy and DPIA queries: privacy@glassbreak.io
- Compliance and procurement-questionnaire support: compliance@glassbreak.io
- Security incidents and vulnerability reports: security@glassbreak.io (also see /trust/disclosure)
- Legal contact: legal@glassbreak.io
What we will not do in a DPIA response
- Sign your DPIA on your behalf. Article 35 places the obligation on the controller; we cannot accept that responsibility.
- Provide a generic "DPIA approved" certificate. No such instrument exists under the GDPR.
- Misrepresent residual risk. Where a mitigation is not yet in place we will say so on this page.
- Disclose detailed cryptographic configuration that would constitute reconnaissance for an attacker. We will describe behaviour at a level appropriate to a DPIA without publishing specific cipher suites by version, internal hostnames, or rotation timestamps. NDA-bound detail is available for auditors on request.
If your DPIA workbook requires a specific question to be answered that is not covered here, please email privacy@glassbreak.io with the question text and template reference; we will respond within 3 business days and add the answer to this page if it has general utility.