Apply the technical measures GDPR Article 32 actually expects, in one engagement.
AES-256 at rest, TLS 1.3 in transit, pseudonymised logs, breach playbook, RoPA template.

A one-time technical engagement that applies GDPR Article 32 technical and organisational measures (TOMs) to your existing or new ASH email infrastructure. The deliverables: encryption at rest using AES-256 with LUKS or equivalent on all server volumes containing personal data; encryption in transit using TLS 1.3 with strong cipher suites and certificate pinning where appropriate; pseudonymisation of recipient identifiers in operational logs (hashed email addresses with separately-stored salt); multi-factor authentication enforcement on all administrative accounts; structured log retention policy with documented retention windows per log category; breach response playbook covering the 72-hour notification window under Article 33; Records of Processing Activities (RoPA) template aligned with Article 30 obligations; written summary of TOMs applied to your specific infrastructure for inclusion in your processor evidence. One-time engagement EUR 899, delivery in 7 business days.

GDPR Article 32 does not mandate encryption universally; it requires technical and organisational measures appropriate to the risk. Recital 83 specifically recommends encryption as a risk-mitigation measure. In practice, supervisory authorities expect encryption for any processing where unauthorised access could harm individuals, which covers most email infrastructure scenarios because email touches identifiable data at scale. The Article 32 reference list includes pseudonymisation and encryption as example measures. ICO and NIST guidance both recommend AES-256 for data at rest and TLS 1.3 for data in transit as the current 2026 baseline. The German A7 guide (March 2026) and Konfirmity 2026 encryption guide both cite AES-256 plus TLS 1.2+ as the supervisory authority expectation across European jurisdictions. We apply these standards by default; the engagement documents the choices made and the reasoning for your evidence package.

Different scope and pricing model. GDPR Compliance Setup is a one-time technical engagement that applies the technical measures (encryption, MFA, log structure, breach playbook) and delivers documentation of what was applied. Compliance Pack is an ongoing bundle that adds executed DPA, maintained sub-processor registry, SOC 2 Type II evidence mapping, ISO 27001 alignment, quarterly DPIA support hours, and 4-hour breach notification SLA on an EUR 449 monthly recurring basis. Many customers buy GDPR Compliance Setup first to get the technical baseline right, then add Compliance Pack later as they sell into enterprise procurement processes that require ongoing documentation. The setup is a prerequisite for the bundle in practice; you cannot maintain compliance documentation if the underlying technical posture is not in place.

Pseudonymisation is a specific technical measure Article 32 calls out by name (alongside encryption). The mechanism: replace personally identifiable information in operational logs with artificial identifiers (pseudonyms) that cannot be traced back to the individual without separately-held additional information (the salt or mapping key). For email infrastructure the practical application is logging recipient email addresses as hashed identifiers (typically HMAC-SHA-256 with a per-customer salt stored separately from the logs) rather than cleartext. The operational team can still correlate events across the log stream (same hash equals same recipient) but cannot enumerate the recipient list from the logs in isolation. Re-identification requires access to the salt, which is stored on separate infrastructure with its own access controls. We apply this pattern to SMTP transaction logs, authentication logs, and bounce processing logs. Cleartext email addresses remain in the operational sending queue (necessary for actual delivery) but the queue is encrypted at rest and retained for the minimum operational window only.

GDPR Article 33 requires controllers to notify supervisory authorities within 72 hours of becoming aware of a breach. Article 33(2) requires processors to notify controllers without undue delay. Our breach response playbook is engineered around these windows. The playbook covers: detection mechanisms (intrusion detection alerts, anomalous access patterns, authentication failures at scale, data exfiltration signals); classification procedure (is this a breach as defined by GDPR Article 4(12), or an incident that does not meet the breach threshold); notification chain (designated incident commander, technical responder, communications lead, legal counsel notification); content of the controller notification (incident classification, affected data categories, recipient count estimate, root cause status, remediation in progress); content of the supervisory authority notification when the controller decides to escalate; remediation tracking and post-incident review. The playbook is delivered as a written runbook with specific contacts and decision criteria. Customers needing 4-hour processor notification SLA (rather than just the documented playbook) should add the Compliance Pack bundle.

Article 30 obligations vary by role. Controllers under Article 30(1) must maintain records covering: name and contact of the controller, purposes of processing, categories of data subjects and personal data, categories of recipients, third country transfers with safeguards, retention periods, and general description of security measures. Processors under Article 30(2) maintain a similar but processor-focused record covering categories of processing activities performed on behalf of each controller, third country transfers, and security measures description. Our template covers both versions and pre-populates the rows relevant to ASH-related processing on your behalf. You adapt the template to cover your full operational scope, integrating ASH-specific rows alongside your other processing activities. The template is delivered in editable format (Word and Markdown) with annotations explaining each field.

Partially. EU AI Act enforcement begins August 2026 for high-risk AI systems requiring conformity assessments. Email infrastructure itself is not classified as a high-risk AI system under the Act; standard PowerMTA, MailWizz, and bounce processing pipelines do not meet the AI system definition. However, if your operation runs AI-driven content generation, AI-driven recipient targeting, or AI-based deliverability optimisation, you may have AI Act obligations as a deployer or provider. GDPR Compliance Setup focuses on Article 32 technical measures and Article 30 records; it does not extend to AI Act conformity assessments. We are tracking AI Act enforcement guidance from supervisory authorities and can update the documentation as guidance crystallises. For operations with AI components, we recommend supplementing this setup with specialised AI Act assessment from a qualified consultancy.

GDPR Chapter V governs international transfers. The setup documents the transfer mechanism applicable to your specific data flows. The three main mechanisms: adequacy decision (transfer to countries the EU Commission has determined provide adequate protection, currently including Switzerland, UK, Japan, South Korea, and a few others, with the EU-US Data Privacy Framework currently in force for certified US recipients); Standard Contractual Clauses (the EU-approved contract template for transfers to non-adequate countries, applicable to our non-EU regions like Panama and Hong Kong); Article 49 derogations (specific situations like explicit consent or contract necessity, narrower in scope). For ASH customers using EU datacenters (Romania, Bulgaria), Chapter V is not triggered for storage and processing within those datacenters. For customers using non-EU datacenters (Panama, Hong Kong, Singapore), we provide the Standard Contractual Clauses package as part of the setup documentation. Customers needing a fully customised transfer impact assessment for high-risk transfers should engage specialised counsel; the setup provides the baseline documentation that most procurement processes require.