GDPR Overview
This document defines the responsibility boundary between Minyu and its customers under the General Data Protection Regulation (GDPR).
Minyu operates strictly as a data processor. The customer organization operates as the data controller and determines:
- What personal data is collected
- Why it is collected
- How it is processed
- When it must be deleted
Minyu executes only the technical processing defined by the controller.
What Minyu Supports
Minyu provides technical capabilities that can be used to satisfy GDPR requirements, including:
- Configurable data models for data minimization
- Controlled read and write access
- Structured data export for data portability
- Structured data deletion and anonymization
- Full audit logging of data mutations
- Full access logging for personal data visibility
These tools are inert until explicitly configured by the controller.
What Minyu Does Not Provide
Minyu does not provide:
- Consent collection or consent lifecycle management
- Legal decision-making on data lawfulness
- Automatic erasure based on legal time limits
- Automated responses to data subject requests
These responsibilities remain entirely with the data controller.
Shared Responsibility Model
| Area | Controller | Minyu |
|---|---|---|
| Legal basis for processing | ✅ | ❌ |
| Consent handling | ✅ | ❌ |
| Data model definition | ✅ | ✅ |
| Access control configuration | ✅ | ✅ |
| Data export tooling | ❌ | ✅ |
| Data deletion tooling | ❌ | ✅ |
| Audit trail generation | ❌ | ✅ |
Minyu supplies mechanisms. The controller decides how and when they are used.