GraphWarden and GDPR: how the proxy supports your compliance obligations

The European Union's General Data Protection Regulation (GDPR) imposes strict obligations on organizations processing personal data, covering security, minimization, traceability, and notification. GraphWarden helps meet several GDPR articles by centralizing access control to Microsoft Graph, filtering the data returned, and producing a verifiable audit log. This document maps the main GDPR articles to GraphWarden's capabilities, with explicit limits.

Who this document is for

- An organization subject to the GDPR (processing personal data of EU residents, or established in the EU) - A records of processing activities (ROPA, Art. 30) in place - Access to the GraphWarden admin application and to your Azure Key Vault - Intended readers: data protection officer (DPO), CISO, legal and compliance team

GDPR context

The GDPR — Regulation (EU) 2016/679 — was adopted in April 2016 and entered into application on 25 May 2018. It applies to any processing of personal data of EU residents, regardless of the controller's location, whenever the processing relates to offering goods or services to individuals in the EU or monitoring their behaviour. The regulation replaces Directive 95/46/EC and harmonizes the data protection regime across the European Union.

Supervision is carried out by national supervisory authorities (the CNIL in France, the Garante in Italy, the BfDI in Germany, the DPC in Ireland, and others), coordinated at the European level by the European Data Protection Board (EDPB). The main pillars of the regulation cover lawfulness of processing (Art. 6), the rights of data subjects (Art. 15 to 22), data protection by design and by default (Art. 25), records of processing activities (Art. 30), security of processing (Art. 32), breach notification (Art. 33 and 34), and data protection impact assessments (DPIA, Art. 35). Administrative fines can reach 20 million euros or 4 percent of annual worldwide turnover, whichever is higher.

GDPR mapping to GraphWarden capabilities

GDPR article GraphWarden capability Status Technical proof
Art. 5 — Data minimization and purpose limitation principles Graph response filtering (Response Filter transforms) Aligned Configure a Response Filter to restrict the Graph fields returned to those strictly necessary for the declared purpose.
Art. 25 — Data protection by design and by default Per-system app identities and versioned YAML rulesets Aligned Every Graph-integrated application has its own identity with a documented ruleset, enforcing protection by default (minimal access).
Art. 30 — Records of processing activities (ROPA) YAML rulesets and exportable audit log Aligned Versioned YAML rulesets and exportable audit logs provide technical artifacts to attach to your records of processing activities.
Art. 32 — Security of processing Zero-knowledge architecture (Azure Key Vault) Aligned Graph credentials remain in your Key Vault; GraphWarden holds a get permission only.
Art. 33-34 — Personal data breach notification HMAC-authenticated audit log Supported The audit log produces timestamped evidence usable to document the scope of a breach within the regulatory window (72 hours to the supervisory authority).

Concrete scenario

A French SaaS publisher operating in the European Union integrates 8 internal applications with Microsoft 365. Without GraphWarden, each application holds full Graph credentials and can query every endpoint its Azure AD registration permits. With GraphWarden: 8 distinct app identities, each with a ruleset restricting endpoints and returned fields. During a CNIL inspection on the data minimization principle (Art. 5), the publisher produces the YAML rulesets as technical evidence of per-application access limitation, together with the audit log for the inspected time window.

Hosting and data residency

Hosted tier: the proxy runtime is in Azure Canada Central; the control plane runs in Canada East (OVHCloud). On-premise tier (Windows Service or Docker): the proxy runs entirely in your infrastructure — no Graph data leaves your environment, which can contribute to your international-transfer obligations (Chapter V). Graph credentials (client secrets, certificates) never leave your Azure Key Vault: GraphWarden holds only their SHA-256 fingerprint to authenticate calls from your applications.

EU–Canada adequacy decision. Canada holds an EU adequacy decision (2014), so transfers from the EU to our Canada-hosted tier do NOT require Standard Contractual Clauses (SCCs). This adequacy simplifies the Chapter V analysis for EU-established controllers that choose our hosted tier.

Limits

GraphWarden helps meet several GDPR obligations but does not cover the entire regulation. The following items remain your responsibility.

  • GraphWarden does NOT cover the legal bases for processing (Art. 6) — lawfulness, consent, and legitimate interest are part of your legal analysis.
  • GraphWarden does NOT cover data subject rights (Art. 15 to 22) — access, rectification, erasure, and portability remain your application-level responsibility.
  • GraphWarden does NOT perform the data protection impact assessment (DPIA, Art. 35) — the proxy provides technical artifacts, not the assessment.
  • GraphWarden does NOT cover international data transfers (Chapter V) — the location of your deployment must be consistent with your post-Schrems II commitments.
  • GraphWarden does NOT notify the supervisory authority of personal data breaches — that process (72 hours to the authority, Art. 33; without undue delay to data subjects, Art. 34) remains your responsibility.
  • GraphWarden does NOT replace the designation of a data protection officer (DPO, Art. 37 and following).

Prepare your GDPR brief with an AI assistant

Prepare a GDPR compliance brief

Prepare a GDPR compliance brief for my organization using GraphWarden with Microsoft 365.

I need to deliver to my DPO / GDPR committee:
1. Which GDPR articles GraphWarden helps meet (mapping)
2. Which articles remain under my responsibility (out of scope)
3. The technical artifacts to attach to my file (YAML rulesets, audit logs)

Reference documentation: https://graphwarden.com/llms.txt

Ask me:
- My EU establishment jurisdiction
- How many Graph-integrated applications I have today
- Whether I already have a ROPA and a DPIA in progress

Reference: llms.txt

Troubleshooting

  • My ROPA must list every processing activity by purpose — how does GraphWarden help? Export each YAML ruleset named by purpose; the ruleset name and description serve as ROPA entries. See Rulesets and Rules.
  • A supervisory authority asks me to prove access limitation. Produce the relevant YAML ruleset and the audit log for the requested period through the HMAC endpoint; see Agent API.
  • Schrems II and transfers outside the EU — does GraphWarden change anything? See the Hosting section above. In on-premise mode inside the EU, no transfer occurs through GraphWarden. In hosted mode, the proxy runs in Canada (Azure Canada Central + Canada East OVHCloud) — Canada holds an EU adequacy decision (2014), so EU-to-Canada transfers do not require SCCs.
  • My breach notification must be filed within 72 hours — how does GraphWarden help scope it? The HMAC-authenticated audit log lets you identify precisely which Graph calls fall inside a given time window, supporting the scoping of a breach.
  • A partner asks me to demonstrate protection by default (Art. 25). Git versioning of your YAML rulesets documents your minimal-access decisions as a technical record, usable as evidence of data protection by design and by default.

Resources

Next steps

For a demo tailored to your GDPR deployment, contact the GraphWarden team. Review the use cases to see how other EU-based organizations have aligned rulesets to their ROPA and DPIA programs. Bring to the session: your EU establishment jurisdiction, your list of Graph-integrated applications, your ROPA review deadline, and the desired audit retention tier (90 days, 1 year, or 7 years).

Last reviewed: