EU GDPR Baseline
This document captures a high-level privacy and data protection baseline for
This document captures a high-level privacy and data protection baseline for future Prox Cloud operations in EU contexts.
It is product and operations guidance, not a formal legal determination. Prox OS must not claim full GDPR compliance, certification, or enterprise privacy automation until the legal, operational, vendor, and technical controls actually exist.
Privacy-by-design Principles
Prox OS treats GDPR as a source of product principles rather than as a scary launch blocker. The useful product language is:
Own your data. Export your data. Delete your data. Audit your agents. Move your apps.| Principle | Product meaning | v0.1 baseline | Later maturity |
|---|---|---|---|
| Data minimization | Do not collect data only because it may be useful later. | Collect minimal waitlist, preview, and shell-local data. | Data maps, retention schedules, and per-surface collection reviews. |
| User agency | Users should understand what a Space, app, connector, or agent can access. | Keep sensitive features mock-first and permission-labeled. | Permission Center, consent history, revocation, and granular scopes. |
| Exportability | User-owned data should not be trapped inside Prox OS. | Document export/delete intent before hosted accounts scale. | Self-serve export, account deletion, and app data portability workflows. |
| Auditability | Agent and connector actions should become reviewable events. | No real autonomous execution in v0.1. | Audit logs, run history, policy checks, and manual approval traces. |
| Regional clarity | EU users should see clear hosting, processor, and transfer posture. | Do not overstate data residency. | EU region options, DPA, SCC review, and subprocessor list. |
European Data Sovereignty Narrative
Prox OS should connect the European data-sovereignty story to visible product behavior:
- private-by-default workspaces before public UGC scale;
- explicit Spaces, apps, connectors, and agent scopes;
- import/export and move-your-apps direction;
- audit logs for future AI agent actions;
- manual confirmation and revocation for sensitive operations;
- clear vendor and analytics posture before broad beta or paid rollout.
This is not the same as claiming that Prox OS is already a certified compliance product. The correct posture is "privacy-by-design from day one, compliance automation later."
Agent Permissions And Auditability
AI agents make privacy posture product-critical. Future agents must operate with visible scopes and bounded authority.
| Control | Why it matters | Current posture | Future requirement |
|---|---|---|---|
| Permission scopes | Agents should not inherit ambient access to every app or source. | Docs and UI prototypes only. | App, connector, data, and action scopes. |
| Least privilege | Each run should use the narrowest viable data and tool set. | No real agent execution in v0.1. | Scope review before execution. |
| Manual confirmation | Sensitive actions need human approval. | Execute actions stay disabled/mock. | Confirmation preview, risk summary, and undo/rollback where possible. |
| Cost limits | AI actions should not silently create uncontrolled spend. | Pricing docs mark AI cost limits as future. | Budgets, provider limits, and run caps. |
| Revocation | Users need to remove app, connector, or agent access. | Permission Center is a prototype. | Revocation, credential rotation, and app uninstall cleanup. |
| Audit logs | Users should see what agents read, wrote, or attempted. | Activity/Audit surfaces are mock-first. | Tamper-resistant operational history and exportable records. |
v0.1 Privacy Baseline
| Area | Baseline |
|---|---|
| Public preview | Use public demo and waitlist language without promising hosted data guarantees that do not exist. |
| Invite-only beta | Keep early access scoped, intentional, and privacy-aware rather than opening broad global signup. |
| Waitlist | Collect only email, role/intent, and optional message fields that are useful for early user selection. |
| Analytics | Use a privacy-conscious analytics posture if analytics is enabled. Do not assume PostHog, Sentry, Cloudflare Analytics, or similar tools are present without checking implementation and configuration. |
| Object storage | Keep hosted private data private by default when storage exists. |
| Admin access | Minimize admin access and avoid storing sensitive preview data unnecessarily. |
| Cookies | Prefer minimal cookies and document consent posture before broad public acquisition. |
| Privacy requests | Define a contact channel and manual export/delete workflow before hosted accounts scale. |
Future Compliance Automation
Future compliance work may include:
- Data Processing Agreement inputs;
- processor and subprocessor list;
- Standard Contractual Clauses review where relevant;
- EU region and data-residency options;
- cookie consent and analytics preference flow;
- data retention policy;
- privacy request workflow;
- breach response runbook;
- app/connector permission history;
- agent run audit export;
- creator and marketplace data responsibility boundaries.
What Prox OS Does Not Claim Yet
Prox OS should not claim:
- full GDPR compliance;
- SOC 2, ISO, or enterprise compliance readiness;
- automated privacy request fulfillment;
- guaranteed EU-only processing;
- complete subprocessor coverage;
- production-grade agent audit enforcement;
- real marketplace payout compliance;
- universal data portability across third-party apps.
Those may become future capabilities after the product surface, hosted architecture, vendors, legal entity, and operational processes are concrete.
Global Product Boundaries
Prox OS is a global product. Regional language support, hosted infrastructure, public community features, and local platform availability are separate concerns.
EU DSA Baseline
The EU Digital Services Act matters if Prox OS hosts public user content. Early private workspaces are a different posture from public profiles, public Spaces,