Data-subject rights¶
Venturi supports the data-subject rights your privacy program depends on — access, erasure, and portability — and reconciles the right to erasure with an append-only, replayable architecture by crypto-shredding encryption keys. This page describes Venturi's role, how each right is fulfilled, and where lawful exemptions apply.
Venturi's role: processor, not controller¶
You are the controller; Venturi is the processor
Venturi acts as a data processor. Your organization is the controller. Venturi processes personal data only on your documented instructions, and data-subject requests are received from and fulfilled on your instruction. Venturi commits the GDPR Article 28 processor obligations, including the Art. 28(3)(a)–(h) data-processing-agreement terms and the Art. 28(2) subprocessor change-notification and objection workflow.
Because the data plane runs inside your own VPC and Venturi processes invocation metadata rather than prompt or completion content (see Data privacy & retention), the personal-data footprint Venturi holds is minimized by design.
Right of access¶
On your instruction as controller, Venturi produces the personal data it holds for a given subject from the metadata it processes — the attribution-relevant fields associated with that subject's identity. Because Venturi does not store prompt or completion content, an access response contains invocation metadata and the derived attribution records, never message bodies.
Right to erasure (right to be forgotten)¶
Venturi fulfills erasure by destroying the encryption keys that protect a subject's data, rather than by scrubbing immutable stores. Each class of data is handled explicitly:
| Data | How erasure is handled |
|---|---|
| Operational + attribution data | Erased by crypto-shredding the per-subject key within the 30-day SLA. After the key is destroyed, replaying the event stream cannot reconstruct the subject's personal data — key destruction is the named, permitted exception to deterministic reconstruction. A deletion certificate is produced as evidence. |
| Immutable audit + override stores | Not purged on an erasure request. Their PII is pseudonymized (opaque, non-reversible identifiers), and they are retained for their compliance period under a named legal-claims / legitimate-interest lawful basis with the GDPR Art. 17(3)(b)/(e) exemption. Post-shred, these entries are non-personal. |
| Anonymized aggregation contributions | Once anonymized into the consent-gated Aggregation environment, a contribution is non-personal and not individually reversible. This is disclosed: anonymize-before-aggregate exempts the contribution from individual erasure, and no per-subject model retraining is triggered. |
Why the audit log is not erased
"We keep an audit trail" is not, by itself, a lawful basis for retaining personal data. Venturi's basis is the combination of (1) pseudonymizing the audit trail so post-shred entries are non-personal, and (2) the named legal-claims and legitimate-interest basis (GDPR Art. 6(1)(f)) with the Art. 17(3) exemptions for establishing legal claims and meeting legal obligations. This carve-out resolves the apparent tension between certified deletion within 30 days and a 5-year tamper-evident audit log.
The 30-day erasure SLA¶
Complete, verified erasure of in-scope subject data is committed within 30 days of a valid request, with a deletion certificate as evidence. The same crypto-shred mechanism, applied to per-tenant keys, performs certified deletion on full offboarding — see offboarding & data return.
Right to data portability¶
Venturi produces a machine-readable export in the tenant-export format — the same format used for ongoing data portability and for the final export at offboarding. The export covers your AttributionRecords, your customer-readable audit trail, and the reconciliation and billing artifacts you need to operate independently. See Reporting & exports for the export formats available day-to-day.
A note on CCPA / consumer-privacy requests¶
The same mechanisms serve consumer-privacy requests under CCPA/CPRA: as processor (a "service provider" under CCPA), Venturi fulfills access, deletion, and portability requests on your instruction. Venturi does not sell or share personal data, processes only the metadata required to provide the service, and applies the same crypto-shred deletion path. See Compliance for Venturi's CCPA posture.
What ships to support your privacy program¶
- A DPIA template (GDPR Art. 35) and a works-council pack ship with the product, so you can run the impact assessment and consultation your jurisdiction requires for employee-data processing.
- A lawful-basis mapping documents the basis per processing activity: in-VPC metadata processing (processor on your instruction, under your basis); cross-tenant aggregation (explicit consent / scoped permission, de-identified); and audit-log retention (legal-claims / legitimate-interest, pseudonymized).
- A Record of Processing Activities (RoPA) is maintained for in-VPC metadata processing and for cross-tenant aggregation.
Legal sign-off
The legal classification of cross-tenant aggregation outputs (anonymized versus pseudonymized) and the precise erasure exemptions are confirmed under EU counsel sign-off before external release. The mechanics above are the binding architecture; the formal DPA, RoPA, and DPIA template are produced as part of the enterprise-readiness program described in Compliance.
Related pages¶
- Data privacy & retention — what is collected, retention, and crypto-shred erasure.
- Tenant isolation — per-tenant keys and the aggregation model.
- Compliance — GDPR, CCPA, and EU AI Act posture.
- Residency & subprocessors — where data lives and who processes it.