FREE RESOURCE

GDPR AI Agents Checklist

A 20-point compliance checklist for teams building AI agents with persistent memory. Covers data residency, user rights, security, and DPA requirements.

Opens browser print dialog — save as PDF

20 items 5 categories GDPR Art. 5·13·15·16·17·20·28·35

1. Data Residency

All user memory data stored within the EU (Art. 46 GDPR)

No transatlantic data transfers — Schrems II compliant

DPA signed with all memory sub-processors (Art. 28 GDPR)

Data processing register updated to include memory layer

2. Consent & Transparency

Legal basis documented: consent (Art. 6.1.a) or legitimate interest (Art. 6.1.f)

User notified at collection time that agent stores memories (Art. 13)

Opt-out mechanism available and functional

3. Data Subject Rights

Right to access (Art. 15): user can view all their stored memories via API or UI

Right to erasure (Art. 17): all memories deletable per user_id within 72h

Right to portability (Art. 20): memories exportable as JSON on request

Right to rectification (Art. 16): individual memories editable/correctable

4. Security

Memory data encrypted at rest (AES-256 minimum)

All API calls use TLS 1.3

API keys are hashed server-side (never stored in plain text)

Access logs retained for audit purposes (breach notification compliance)

5. Special Categories & High-Risk Processing

No raw medical, biometric, or Art. 9 sensitive data stored in memories

Only synthesized/anonymized context stored as memory content

Memory TTL (expiry) configured for sensitive data types

DPIA conducted if high-risk processing is involved (Art. 35)

Kronvex satisfies 14 of these 20 items by default

EU Frankfurt hosting, DPA included, right to erasure in one API call, TTL per memory, and no LLM at recall. Your team handles consent notices and legal basis — we handle the infrastructure.

Get free API key → Read CNIL compliance guide