Skip to content

Gdpr

Legal notice

This documentation describes how piler enterprise supports compliance with the EU General Data Protection Regulation (GDPR) from a technical and organizational perspective.

It does not constitute legal advice and does not replace the controller’s obligation to assess its own legal requirements, risks, and compliance measures.

Customers acting as data controllers remain solely responsible for:

  • determining the lawful basis for processing personal data,
  • configuring retention, access, and legal hold policies,
  • responding to data subject requests, and
  • ensuring overall compliance with applicable data protection laws.

piler enterprise acts exclusively on the documented instructions of the controller and provides technical means to support, but not substitute, regulatory and legal decision-making.

GDPR roles and responsibilities#

Under the EU General Data Protection Regulation (GDPR), compliance obligations depend on the role of each party involved in the processing of personal data.

Roles#

  • Customer (Controller) The customer using piler enterprise acts as the data controller within the meaning of Article 4(7) GDPR. The controller determines the purposes and means of processing personal data contained in archived emails, including:

  • the lawful basis for archiving,

  • retention periods,
  • access policies,

  • and responses to data subject requests.

  • piler enterprise (Processor) piler enterprise acts as a data processor within the meaning of Article 4(8) GDPR by providing software that processes personal data solely on the documented instructions of the controller.

piler enterprise does not determine the purposes for which personal data is processed and does not use archived email content for its own purposes.

Shared responsibility#

GDPR compliance depends on the correct configuration, deployment, and use of piler enterprise by the controller, as well as appropriate organizational and technical measures implemented by the controller and/or its service provider.

piler enterprise provides technical and organizational features designed to support GDPR-compliant email archiving, including access control, audit logging, retention management, and data security mechanisms. However, the controller remains responsible for ensuring that the processing of personal data complies with applicable data protection laws.

Data Processing Agreement (DPA)#

Where required under Article 28 GDPR, the controller and the processor must enter into a Data Processing Agreement (DPA) governing the processing of personal data when using piler enterprise.

Data Processing Agreement (DPA) summary#

In accordance with Article 28 of the GDPR, piler enterprise acts as a data processor on behalf of the customer (data controller) when processing personal data contained in archived emails.

A Data Processing Agreement (DPA) governs this relationship and defines the scope, purpose, and safeguards of the processing activities.

Subject matter and duration of processing#

  • The processing concerns the archiving, indexing, storage, search, retrieval, export, and deletion of email messages.
  • Processing takes place for the duration of the customer’s use of piler enterprise and in accordance with the controller’s documented instructions.

Nature and purpose of processing#

  • Secure and auditable email archiving
  • Compliance with legal, regulatory, and internal retention requirements
  • E-discovery, investigation, and business continuity
  • Fulfilment of data subject access and erasure requests where applicable

Categories of personal data#

Depending on customer usage, archived emails may contain:

  • Identification data (e.g. names, email addresses)
  • Contact details
  • Communication content
  • Attachments and metadata
  • Other personal data included in email correspondence

Categories of data subjects#

  • Employees
  • Contractors
  • Customers
  • Business partners
  • Other correspondents of the controller

Processor obligations#

piler enterprise commits to:

  • Process personal data only on documented instructions from the controller
  • Implement appropriate technical and organizational measures to protect personal data
  • Ensure confidentiality of processing
  • Support the controller in fulfilling data subject rights
  • Provide audit logging and accountability mechanisms
  • Assist with compliance obligations where technically feasible

Sub-processing#

piler enterprise does not engage sub-processors unless explicitly agreed or required by the deployment model chosen by the controller (e.g. hosting provider).

Data transfers#

piler enterprise does not transfer personal data to third countries unless configured or instructed by the controller.

Deletion or return of data#

Upon termination of use, personal data can be deleted or returned in accordance with the controller’s instructions and applicable legal obligations.

Lawful basis and purpose limitation#

The lawful basis for processing personal data within archived emails is determined solely by the data controller.

Typical lawful bases for email archiving include:

  • Compliance with a legal obligation
  • Legitimate interest of the controller (e.g. business continuity, legal defense, regulatory compliance)

piler enterprise does not assess or determine the lawful basis for processing and does not use archived email content for its own purposes.

Purpose limitation#

piler enterprise is designed to process personal data exclusively for email archiving–related purposes as instructed by the controller, including:

  • secure storage,
  • search and retrieval,
  • audit and investigation,
  • retention and deletion management.

Archived email data is not analyzed, profiled, or repurposed beyond these functions.

Customer responsibilities#

The controller is responsible for:

  • documenting the lawful basis for email archiving,
  • informing data subjects as required under GDPR Articles 13 and 14,
  • defining retention periods,
  • ensuring appropriate internal access policies.

Product safeguards supporting purpose limitation#

piler enterprise supports purpose limitation through:

  • role-based access control,
  • least-privilege permissions,
  • separation of operational logs from email content,
  • configuration options that restrict access and functionality to authorized users only.

Usage Data Collection for Licensing and Billing#

Piler Enterprise may transmit aggregated usage statistics to our billing servers to support license compliance and billing obligations. Only domain-level statistics (such as domain names, user counts, and email counts) are transmitted; no email content, subjects, senders, recipients, or message-level data are ever sent. All transmissions are encrypted via TLS/HTTPS to ensure data security. The lawful basis for this processing is the performance of the contract (Article 6(1)(b) GDPR). This telemetry supports operational and billing purposes without exposing personal data, and controllers should document this processing in their Records of Processing Activities.

Data minimization and retention management#

Under GDPR Article 5(1)(c) and (e), personal data must be adequate, relevant, limited to what is necessary, and retained only for as long as required for the specified purpose.

Retention policies#

piler enterprise allows controllers to define and enforce retention policies that determine how long archived email data is stored before deletion or anonymization.

Retention policies may be configured based on:

  • mailbox, domain, or tenant,
  • message age,
  • legal or regulatory requirements,
  • internal company policies.

Retention enforcement is automated and auditable.

Automated deletion and purging#

When the purging feature is enabled, piler enterprise periodically removes messages that have exceeded their defined retention period.

Deletion actions are:

  • performed automatically according to policy,
  • logged for auditability,
  • irreversible unless prevented by legal hold.

The legal hold feature allows controllers to prevent deletion of selected email data, even if it would otherwise be eligible for removal under a retention policy.

Legal hold may be applied to:

  • individual mailboxes,
  • users,
  • messages,
  • or cases under investigation.

This ensures compliance with legal obligations while maintaining accountability and traceability.

Right to erasure and selective deletion#

Where applicable and permitted by law, piler enterprise supports selective deletion of archived messages containing personal data.

Deletion may be:

  • restricted to authorized roles (e.g. auditor, data protection officer),
  • subject to approval workflows,
  • fully logged to provide proof of erasure.

The controller remains responsible for determining whether an erasure request can be fulfilled or must be refused due to overriding legal obligations.

Data minimization by design#

piler enterprise supports data minimization through:

  • configurable retention limits,
  • message-level deletion capabilities,
  • prevention of unauthorized bulk exports,
  • role-based access control limiting unnecessary exposure of personal data.

Retention and deletion features are designed to prevent excessive or indefinite storage of personal data by default.

Data subject rights and DSAR support#

Under GDPR Chapter III (Articles 12–23), data subjects have rights regarding access to, portability of, and in certain cases erasure of their personal data.

piler enterprise provides technical features that support controllers in fulfilling these obligations. The controller remains responsible for assessing, responding to, and documenting data subject requests.

Right of access (Article 15)#

piler enterprise supports the right of access by enabling authorized users to efficiently locate and review archived emails related to a specific data subject.

Relevant features include:

  • fast full-text search across archived email content and metadata,
  • filtering by sender, recipient, date range, and keywords,
  • role-based access control restricting searches to authorized users only.

All access to archived messages is logged to ensure accountability.

Right to data portability (Article 20)#

Where applicable, piler enterprise allows controllers to export personal data contained in archived emails in commonly used electronic formats.

Exported data may include:

  • email messages and attachments,
  • relevant metadata,
  • cryptographic signatures to ensure integrity and authenticity.

Exports are subject to access controls and are fully logged for audit purposes.

Right to erasure (Article 17)#

Where erasure is permitted under applicable law and does not conflict with legal retention obligations, piler enterprise supports selective deletion of archived emails containing personal data.

Deletion actions:

  • may be restricted to designated roles (e.g. auditor or data protection officer),
  • may require approval workflows depending on configuration,
  • are logged to provide proof of erasure.

If deletion is prevented due to legal hold or statutory retention requirements, this can be demonstrated through audit logs and retention policies.

Response timelines and accountability#

piler enterprise provides audit logging that allows controllers to demonstrate:

  • when a data subject request was handled,
  • which data was accessed, exported, or deleted,
  • which authorized user performed the action.

The controller remains responsible for meeting statutory response deadlines and for communicating with the data subject.

Limitations and controller responsibility#

piler enterprise does not independently identify data subjects or initiate responses to requests. The controller is responsible for:

  • verifying the identity of the requester,
  • determining the scope of the request,
  • deciding whether legal exceptions apply,
  • maintaining records of processing activities.

piler enterprise acts solely on the documented instructions of the controller.

Notes#

  • Identification of data subjects within archived emails is not automatic and may require contextual analysis by authorized personnel.
  • Search results generated by the system may require human review and validation to confirm relevance and completeness.
  • The completeness of search, export, or erasure results depends on the scope of email ingestion, applicable retention policies, and legal hold constraints.

Regulatory background#

Under Article 17 of the GDPR, data subjects have the right to request the erasure of their personal data (“right to be forgotten”). However, this right is not absolute.

Article 17(3) GDPR explicitly permits the continued processing and retention of personal data where such processing is necessary for, among others:

  • compliance with a legal obligation to which the controller is subject, or
  • the establishment, exercise, or defence of legal claims.

In practice, this means that statutory retention obligations, litigation holds, and regulatory investigation requirements may lawfully override erasure requests for specific data sets, provided that the scope and duration of retention are proportionate and documented.

How piler enterprise addresses this conflict#

piler enterprise is designed to help controllers balance erasure obligations with legal retention and legal hold requirements in a controlled, transparent, and auditable manner.

The system enforces technical safeguards, while the legal assessment and final decision remain the responsibility of the controller.

1. Controlled erasure of archived emails#

Where erasure is permitted under applicable law and no overriding legal obligation exists, piler enterprise supports selective deletion of archived emails containing personal data.

Key characteristics:

  • Erasure actions can be restricted to explicitly authorized roles (e.g. auditor, compliance officer, or data protection officer).
  • Deletion workflows may require explicit approval, depending on organizational policy and system configuration.
  • All erasure actions are logged with user identity, timestamp, and scope of deletion, creating verifiable evidence that the request has been fulfilled.

This enables controllers to demonstrate compliance with valid erasure requests without compromising system integrity or evidential traceability.

piler enterprise supports legal hold functionality that prevents deletion of archived emails, even where:

  • messages have exceeded their normal retention period, or
  • a data subject has submitted an erasure request.

When legal hold is active, affected messages are excluded from both manual deletion and automated purging processes.

Legal hold functionality supports compliance with:

  • litigation hold obligations,
  • regulatory or supervisory authority investigations,
  • industry-specific statutory retention requirements.

Legal hold always takes precedence over erasure and automated retention enforcement, consistent with Article 17(3) GDPR.

3. Retention periods and automated purging#

Controllers may define retention rules to meet local, national, or industry-specific statutory requirements.

When automated purging is enabled:

  • messages exceeding their configured retention period are removed automatically,
  • deletion actions are logged for auditability,
  • legal hold rules override all purging operations.

This approach minimizes long-term data exposure while ensuring that legally required records remain preserved.

Backup and disaster recovery implications#

Under established GDPR guidance, backup systems are treated differently from live processing environments, provided appropriate safeguards are in place.

piler enterprise supports GDPR-aligned backup handling as follows:

  • Archived emails contained in backups are not actively processed or accessed during normal operation.
  • Backup data is restored solely for disaster recovery or system restoration purposes, not for routine access or search.
  • Upon restoration, applicable retention rules, erasure constraints, and legal hold policies are re-applied automatically.
  • Controllers are expected to define backup retention limits to prevent indefinite storage of personal data.

As a result:

  • Immediate erasure from backup media is not required, provided backups are isolated, secured, and subject to defined retention periods.
  • Any personal data reintroduced during a restore becomes subject to the same GDPR controls as live archived data.

Organizational responsibility#

While piler enterprise provides the technical controls necessary to implement erasure, retention, and legal hold policies, the controller remains responsible for:

  • assessing whether an erasure request can be lawfully fulfilled,
  • determining whether Article 17(3) exemptions apply,
  • defining retention schedules and legal hold policies,
  • documenting the legal basis for retaining data where erasure is denied.

piler enterprise enables controllers to demonstrate compliance, but does not replace legal or regulatory decision-making.

Summary#

piler enterprise supports GDPR-compliant handling of erasure requests by:

  • enabling auditable deletion of personal data where legally permitted,
  • enforcing legal hold and statutory retention where required,
  • managing purging and backups in a controlled, policy-driven manner.

This provides a balanced, defensible, and regulator-aligned approach to Article 17 compliance in real-world email archiving scenarios.

Security of processing (Article 32 GDPR)#

Regulatory background#

Article 32 of the GDPR requires controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Confidentiality, integrity, and availability of personal data
  • Protection against unauthorized or unlawful processing
  • Protection against accidental loss, destruction, or damage
  • The ability to demonstrate the effectiveness of security measures

The measures must take into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

The selection and configuration of these measures should be based on the controller’s risk assessment, taking into account the nature of archived email data, potential impact to data subjects, and threat models relevant to the deployment environment.

Technical security measures implemented in Piler enterprise#

Piler enterprise incorporates multiple layers of technical safeguards to protect archived email data throughout its lifecycle.

1. Encryption in transit and at rest#

  • Email ingestion is protected using TLS encryption during SMTP transmission
  • External mail collection via POP3 and IMAP supports encrypted connections using TLS and is intended to be used with encryption enabled. Support for unencrypted (plaintext) connections is configuration-dependent and should only be enabled following a documented risk assessment by the controller.
  • All archived emails are encrypted at rest using strong symmetric encryption (AES-256)

These measures protect personal data against interception, disclosure, or manipulation during transmission and storage.

2. Access control and authentication#

  • Role-based access control ensures users can only access data they are authorized to view
  • End users are restricted to their own emails, while auditor roles may access broader datasets where permitted
  • Support for two-factor authentication (2FA) using time-based one-time passwords
  • Integration with Single Sign-On (SSO) systems to centralize identity management

This reduces the risk of unauthorized access and supports the principle of least privilege.

3. Integrity and tamper protection#

  • Archived messages are stored in a manner that prevents silent modification
  • Exported emails may be cryptographically signed to allow recipients to verify integrity and authenticity outside the archive
  • Audit logs are protected against unauthorized alteration

These mechanisms help ensure the integrity and evidential value of archived communications.

4. Network and service-level protections#

  • SMTP access to the archive can be restricted using access control lists
  • The piler SMTP daemon logs relevant transaction metadata for traceability
  • System components log security-relevant events to syslog for centralized monitoring

This supports early detection of misuse or anomalous activity.

Organizational and configuration-dependent measures#

Some Article 32 requirements depend on how Piler enterprise is deployed and operated. Organizations are expected to define and implement:

  • User provisioning and de-provisioning procedures
  • Strong password and authentication policies
  • Secure backup and disaster recovery processes
  • Patch management and operating system hardening
  • Incident response and breach notification workflows

Piler enterprise provides the technical foundations, while the controller remains responsible for the surrounding organizational controls.

Risk-based approach#

Piler enterprise supports a risk-based security model by allowing customers to:

  • Adjust access controls and approval workflows
  • Limit the number of users with elevated privileges
  • Apply retention and legal hold rules to reduce unnecessary exposure
  • Monitor access and usage through detailed audit logs

This enables organizations to tailor security measures to their specific regulatory and operational risk profile.

Summary#

Piler enterprise supports compliance with Article 32 GDPR by providing:

  • Encryption of personal data in transit and at rest
  • Strong authentication and role-based access control
  • Integrity protection and tamper-evident exports
  • Comprehensive logging and monitoring capabilities

Combined with appropriate organizational measures, these features enable a robust and defensible security posture for email archiving under the GDPR.

Accountability, audit logs & evidence (Article 5(2) GDPR)#

Regulatory background#

Under Article 5(2) GDPR, the controller is responsible for, and must be able to demonstrate compliance with the principles of personal data processing (“accountability”).

In practice, this means organizations must be able to provide verifiable evidence of:

  • Who accessed personal data
  • When and how data was accessed or processed
  • Whether access was lawful and authorized
  • Whether data subject requests (eg. access or erasure) were properly handled

Audit logs are a key technical measure to support this obligation.

Support for Records of Processing Activities (Article 30 GDPR)#

Under Article 30 GDPR, controllers and processors are required to maintain records of processing activities (RoPA) describing how personal data is processed within their organization.

piler enterprise does not generate Records of Processing Activities automatically. However, it provides technical evidence and system metadata that can be used by controllers to support the creation and maintenance of Article 30 documentation.

Relevant supporting elements include:

  • configuration data defining retention policies, legal hold rules, and access roles,
  • audit logs showing how archived email data is accessed, searched, exported, or deleted,
  • system logs documenting ingestion and processing of email messages,
  • documentation of technical and organizational security measures implemented within the system.

These elements may assist controllers in documenting:

  • the categories of personal data processed,
  • the purposes of processing related to email archiving,
  • access controls and recipient categories,
  • retention periods and deletion mechanisms,
  • security measures applied to archived data.

The controller remains fully responsible for maintaining formal Records of Processing Activities and for ensuring their accuracy and completeness. piler enterprise provides technical support for accountability, not legal documentation.

Audit logging in Piler enterprise#

Piler enterprise includes comprehensive and tamper-resistant logging mechanisms to support accountability and traceability across the archiving system.

1. Message ingestion and system-level logging#

System components log security-relevant and operational events, including:

  • SMTP client IP addresses
  • Email recipients
  • SMTP commands used during message transfer
  • Message-ID and metadata
  • Number of attachments per message

These logs provide traceability for how and when emails enter the archive.

2. Authentication and access logs#

The graphical user interface logs all authentication-related events, including:

  • Successful and failed login attempts
  • Username, timestamp, and source IP address
  • Authentication method (where applicable)

This allows organizations to detect unauthorized access attempts and demonstrate controlled access to personal data.

3. User activity audit trail#

Piler enterprise maintains a detailed audit trail of user actions within the system, including:

  • Search operations performed by users
  • Viewing of individual emails
  • Export actions
  • Administrative and configuration changes

Each audit entry includes:

  • User identity
  • Timestamp
  • Source IP address
  • Performed action

This enables precise reconstruction of who accessed which data and why.

Supporting data subject rights and regulatory inquiries#

Audit logs produced by Piler enterprise support compliance with multiple GDPR obligations, including:

  • Article 15 (Right of access): Demonstrating when and by whom personal data was accessed
  • Article 17 (Right to erasure): Providing evidence that deletion actions were executed
  • Article 30 (Records of processing activities): Supporting internal documentation of processing operations
  • Article 33 (Breach notification): Assisting in incident investigation and scope assessment

Logs may also be used to support internal audits, external compliance reviews, or regulatory inspections.

Integrity and retention of audit logs#

  • Audit logs are written in a structured and consistent format
  • Logs can be forwarded to centralized logging or SIEM systems via syslog
  • Access to logs can be restricted to authorized roles only

Organizations are expected to define appropriate log retention periods in line with their regulatory and operational requirements.

Organizational responsibility#

While Piler enterprise provides detailed technical audit logs, the data controller remains responsible for:

  • Reviewing and monitoring audit logs
  • Defining escalation and incident response procedures
  • Retaining logs for an appropriate duration
  • Producing logs as evidence to supervisory authorities when required

Piler enterprise enables accountability but does not replace governance or oversight processes.

Summary#

Piler enterprise supports GDPR accountability requirements by providing:

  • End-to-end traceability of email ingestion and access
  • Detailed user activity and authentication logs
  • Evidence to support audits, investigations, and data subject requests
  • Integration with external logging and monitoring systems

These capabilities help organizations demonstrate compliance, not merely claim it.

Privacy by design & by default (Article 25 GDPR)#

Regulatory background#

Article 25 of the GDPR requires controllers to implement data protection by design and by default. This means that privacy safeguards must be:

  • Integrated into the design and architecture of systems
  • Enabled by default, without requiring user intervention
  • Proportionate to the purpose, scope, and risks of processing

In practice, this focuses on data minimization, access limitation, and controlled processing, rather than optional features.

Privacy by design in Piler enterprise#

Piler enterprise incorporates privacy considerations directly into its core architecture and workflows.

1. Purpose limitation by system design#

  • Piler enterprise is designed specifically for email archiving and compliance use cases
  • Archived emails are not repurposed for analytics, profiling, or secondary processing
  • Search, review, and export capabilities are limited to explicitly authorized roles

This enforces processing strictly aligned with defined compliance purposes.

2. Data minimization and scoped access#

  • Users can only access their own archived emails by default
  • Broader access (eg. auditor roles) must be explicitly assigned
  • Search results and message visibility are limited according to role-based permissions

This reduces unnecessary exposure of personal data.

3. Privacy-preserving default settings#

Out-of-the-box defaults are aligned with privacy principles:

  • Restricted user visibility
  • Access logging enabled
  • Encryption at rest and in transit enabled
  • No public or anonymous access to archived data

Any relaxation of these defaults requires explicit administrative action.

4. Retention and deletion controls#

  • Retention periods can be defined to meet legal or regulatory requirements
  • Automated purging removes data that is no longer required
  • Legal hold must be deliberately enabled and scoped

This ensures that personal data is not retained longer than necessary by default.

5. Controlled data export#

  • Export of archived emails is a privileged operation
  • Export actions are logged and auditable
  • Optional cryptographic signatures protect integrity of exported data

This limits uncontrolled dissemination of personal data outside the archive.

Privacy by default: operational implications#

Piler enterprise is designed so that:

  • Only the minimum necessary data is accessible for each role
  • Processing actions require authentication and authorization
  • All access is traceable through audit logs

Organizations must consciously configure any broader access or extended retention, supporting the GDPR principle that privacy-friendly behavior is the default.

Organizational responsibility#

While Piler enterprise supports privacy by design and default at a technical level, the data controller remains responsible for:

  • Selecting appropriate retention periods
  • Assigning user roles and privileges
  • Ensuring lawful purposes for access and exports
  • Periodically reviewing configurations

The product enables compliance, but governance decisions remain with the organization.

Summary#

Piler enterprise supports Article 25 GDPR by:

  • Embedding privacy safeguards into system architecture
  • Enforcing restrictive access and logging by default
  • Supporting purpose limitation, data minimization, and controlled retention
  • Requiring explicit action to reduce privacy protections

This ensures privacy is built in, not added later.

Appendix: Article 28 GDPR – Processor Obligations Mapping#

The table below summarizes how piler enterprise supports the processor obligations set out in Article 28(3) GDPR. This appendix is intended to support vendor assessments, procurement reviews, and compliance audits.

Article 28(3) requirement How piler enterprise supports compliance
Processing on documented instructions piler enterprise processes personal data solely based on controller configuration and documented instructions. The system does not determine processing purposes independently.
Confidentiality Role-based access control, authentication mechanisms, and access logging restrict data access to authorized users only.
Security of processing (Article 32) Encryption in transit and at rest, access controls, integrity protection, and logging are provided. Organizational security measures remain the controller’s responsibility.
Sub-processing No sub-processors are engaged unless explicitly agreed or required by the chosen deployment or hosting model.
Assistance with data subject rights Search, export, deletion, and audit logging features support Articles 15–20 GDPR, under controller direction.
Assistance with security and breach obligations Audit logs and system logs support incident investigation and breach impact assessment under Articles 33 and 34 GDPR.
Deletion or return of data Upon termination, archived data can be deleted or returned in accordance with controller instructions and applicable legal obligations.
Demonstration of compliance Detailed audit logs and configuration records support supervisory authority inquiries and compliance verification.

piler enterprise acts as a technical processor and does not replace the controller’s governance, legal assessments, or documentation duties.