Sign in →
Privacy & GDPR1 min read

GDPR at Aforo — Overview

Aforo's GDPR posture: processor responsibilities, customer responsibilities, articles index, lawful bases, and where to find each capability.

Updated 2026-06-15Suggest edits
Docs Privacy & GDPR Overview

Aforo is built so that running a usage-based billing platform doesn\'t leave you scrambling on the day the regulator asks for evidence. This page is the entry point: who plays which role, what Aforo ships out of the box, what you still own, and where to find each capability.

Aforo\'s role under GDPR#

RelationshipAforo's roleYour roleExamples
You ↔ your end-customersData Processor (Art. 28)Data ControllerCustomer's account profile, payment methods, usage metadata
Aforo ↔ your operator teamData ControllerOperator login, MFA enrollment, audit log of operator actions
Aforo ↔ subprocessorsData Controller (when contracting them)AWS hosting, Stripe payment processing, Anthropic AI inference
INFO
For data your end-customers entrust to your tenant — billing addresses, usage events, payment methods — you are the Controller. Aforo is the Processor and acts only on your documented instructions. The DPA you sign at onboarding is the legal expression of this relationship.

What Aforo handles for you#

What you remain responsible for#

Aforo provides infrastructure. You still own the Controller-side obligations:

  • Your privacy notice — explain to your end-customers what data you collect, why, and how long you keep it (Articles 13-14).
  • Lawful basis selection — decide whether processing rests on consent, contract, legitimate interest, etc. (Article 6).
  • DPIA filing — when launching new high-risk processing (e.g., automated decisioning, biometric data), file with your supervisory authority (Article 35).
  • Breach notification authority — Aforo notifies you of suspected breaches within 12h of detection; you notify your supervisory authority within the 72h window (Article 33).
  • Data Protection Officer — appoint a DPO if Article 37 applies to your organization.
  • Cross-border transfers from your tenant — if you export data from Aforo to systems outside your contracted region, you own the transfer mechanism (SCCs, BCRs, adequacy decision).

Lawful bases matrix#

For Aforo\'s own processing as Controller (operator data) and as Processor (end-customer data acting on your instructions), these are the lawful bases we operate under:

Processing activityLawful basis (Art. 6)Whose dataRetention
Operator account + MFAContract (b)Your operatorsActive + 12 months post-termination
Operator action audit logLegal obligation (c) + Legitimate interest (f)Your operators7 years (financial audit trail)
End-customer billing dataContract (b) — acting on Controller instructionsYour end-customersActive + 7 years (tax law)
Usage event meteringContract (b) — acting on Controller instructionsYour end-customersRaw events 13 months; aggregates indefinite
Marketing emails to operatorsConsent (a)Your operatorsUntil consent withdrawn
Security telemetryLegitimate interest (f) — preventing breachAll13 months
Fraud + abuse monitoringLegitimate interest (f) + Legal obligation (c)All24 months

Articles covered#

ArticleTopicWhere to find it
Art. 5Principles of processingThis page (lawful bases matrix above)
Art. 6Lawful basisThis page (lawful bases matrix above)
Art. 7ConsentData Subject Rights — Consent Ledger
Art. 12DSR response timing (72h ack, 30d full)Data Subject Rights — SLA
Art. 13Information when collecting from subjectYour privacy notice (you own)
Art. 13(1)(f)Cross-border transfer disclosureCompliance Registers — Data Residency
Art. 14Information when not collected from subjectYour privacy notice (you own)
Art. 15Right of accessData Subject Rights — Access requests
Art. 16Right to rectificationData Subject Rights — Rectification
Art. 17Right to erasureData Subject Rights — Erasure
Art. 18Right to restrictionData Subject Rights — Restriction
Art. 20Right to data portabilityData Subject Rights — Portability (CSV/JSON export)
Art. 21Right to objectData Subject Rights — Objection
Art. 25Data protection by designAutomatic PII masking + role-based redaction
Art. 28Processor obligations + subprocessor disclosureCompliance Registers — Subprocessors
Art. 30Records of Processing ActivitiesCompliance Registers — RoPA
Art. 32Security of processingAudit & Compliance — Security
Art. 33Breach notification to authority (72h)Breach Response — Article 33 workflow
Art. 34Breach notification to data subjectsBreach Response — Article 34 workflow
Art. 35Data Protection Impact AssessmentCompliance Registers — DPIA
Art. 44-49International transfersCompliance Registers — Data Residency (SCCs, DPF)

Where each capability lives in Aforo#

For your operators (running Aforo)

  • Aforo Product UI → Governance → Privacy Operations tab — DSR queue with 72h SLA timer + Breach Incidents with Article 33 workflow.
  • Aforo Product UI → Governance → Compliance Library tab — RoPA, DPIA, Data Residency, PII Framework as auditor-ready reference docs.
  • Aforo Product UI → Admin Panel → Audit Log — filter on action LIKE \'pii.%\' for PII access trail, action LIKE \'dpa.%\' for DPA signatures.

For your end-customers (storefront portal)

  • Storefront Portal → /privacy — self-service: download my data (Article 15), delete my account (Article 17), withdraw consent (Article 7(3)).
  • Storefront Portal → /trust-center — current subprocessor list + 30-day change notification subscribe.

For your developers (integrating with Aforo)

  • Automatic PII masking — sensitive fields (email, phone, tax IDs) are masked in API responses based on the caller's role, with no setup required.
  • Privacy self-service — your end-customers manage consent and file data-subject requests from the storefront /privacy page.
INFO
Pre-launch posture (current). Aforo has no paying customers yet; a small number of cascade-purge edge cases are tracked as follow-ups that close before the first paying customer. Everything documented on these pages ships and is testable today.