GDPR
Vulkro supports two GDPR-related workflows:
- Article 30 Records of Processing Activities (RoPA) - generated as markdown or HTML, intended as a starting point for the formal record.
- Article 32 Security of Processing - control mappings on every relevant finding.
RoPA generation
vulkro scan . --format ropa-md > ropa.md
vulkro scan . --format ropa-html > ropa.html
The RoPA enumerates:
- Each endpoint that handles personal data, identified by the privacy engine.
- The detected categories of personal data per endpoint (email, phone, address, DOB, MRN, biometric IDs, ...).
- The stated purpose, retention, and lawful basis (you fill these in - no static scanner can infer them).
- The Vulkro-detected security controls in place / missing.
Treat the output as a 70%-finished draft, not a final RoPA.
Article 32 mappings
| Vulkro finding | GDPR Art. 32 mapping |
|---|---|
Insecure transmission | 32(1)(a) - pseudonymisation/encryption |
Hardcoded secret | 32(1)(a) |
Weak crypto | 32(1)(a) |
BrokenAuthentication | 32(1)(b) - confidentiality |
BrokenObjectLevelAuth | 32(1)(b) |
Insecure logging | 32(1)(c) - integrity |
Vulnerable dependency | 32(1)(d) - testing/evaluating |
PII detection
The privacy engine detects PII fields in API request and response shapes:
email,phone,address,dobssn,tax_id,passport_numbername(when paired with another identifier)- IP address, user agent (categorised under "online identifiers" per Recital 30)
PII findings carry the relevant GDPR Art. 6 / 9 citations - useful for quickly mapping out which endpoints touch special-category data.