Tier A · fully supported end-to-end
GDPR-aligned document retention and access control
Data-minimization-friendly retention, documented lifecycle, and an audit trail you can show the regulator.
GDPR asks for documented procedures, retention that respects the data-minimization principle, controlled access to documented information, and the ability to demonstrate your document lifecycle to a supervisory authority. docs365.ai is built to support those controls end-to-end on Microsoft 365, and it keeps all data inside your tenant — not inside a second processor’s database that would need to be added to your records of processing activities.
What GDPR actually asks from document management
GDPR isn’t primarily a document-management regulation, but it has specific implications for how organizations handle their internal documented information — especially documents that contain personal data or describe how personal data is processed. The relevant expectations:
Article 5 principles apply to every bit of personal data, including personal data contained in internal documents. In particular:
- Accuracy (5(1)(d)) — documents that reference individuals need to be kept current.
- Storage limitation (5(1)(e)) — data-minimization, meaning documents shouldn’t be retained beyond the period necessary.
- Integrity and confidentiality (5(1)(f)) — documents must be protected against unauthorized access or alteration.
- Accountability (5(2)) — the controller must be able to demonstrate compliance, which means documented processes and evidence.
Article 30 requires a Record of Processing Activities, which is itself documented information that benefits from the same governance the product provides.
Article 32 (security of processing) expects technical and organizational measures documented and reviewed — that’s a library of policies and procedures that needs version control, approval, and audit.
Article 33–34 (breach notification) require documented incident-response procedures reviewed on a cadence.
So the document-management touch-points are: a controlled library of governance documents, a retention discipline that doesn’t default to “keep everything forever”, clear access controls, and a provable audit trail.
How this product supports GDPR document management
Documented lifecycle. Every policy, procedure, record-of-processing document, DPIA, and breach-response runbook has a controlled creation, approval, publication, and review cadence. The audit log produces the evidence Article 5(2) accountability asks for.
Intentful retention. Expiration is a first-class metadata field on every document. As expiration approaches, the document’s owner receives an automatic email to review and either re-certify, update, or retire the document. This is the opposite of passive retention — it’s an active review mechanism, which is what data-minimization under Article 5(1)(e) actually requires for documents that describe personal-data processing.
Archive, not silent retention. Superseded documents move into archive rather than staying indefinitely visible or disappearing silently. The controller can produce the exact state of a policy on any historical date — useful for answering supervisory-authority questions like “what was your approach to subject access requests as of June 2025?”
Controlled access. SharePoint permissions, per-document and per-library. The editing area and the public area have separate permission scopes. Documents that contain personal data can have tighter access scope than general procedures. All access is governed by the customer’s existing Entra (Azure AD) identity infrastructure.
Full audit trail. Every modification, every approval, every publication event is logged against a named user. This is the kind of evidence a DPO can produce when an internal question arises about how a specific policy was updated.
Why “inside your tenant” shrinks your DPO workload
Every new processor you add to your stack triggers work for your Data Protection Officer: a contract review (Article 28), an entry in the Record of Processing Activities, a sub-processor notification to affected data subjects if customer data is involved, a DPIA if the processing qualifies.
docs365.ai runs inside the customer’s Microsoft 365 tenant. Microsoft is already in your RoPA as the infrastructure processor for Microsoft 365. The product doesn’t add a new data-processing location. The product doesn’t create a new sub-processor relationship. It runs against your existing Azure AD, your existing SharePoint, your existing audit infrastructure.
For organizations with EU operations, this is the substantive data-protection argument for choosing a Microsoft-365-native DMS over a third-party platform that duplicates a data boundary.
How this dovetails with Microsoft Purview
Microsoft 365 ships with Purview, which offers its own retention labels, records management, and data-classification capabilities at the tenant level. Purview handles organization-wide retention across email, OneDrive, SharePoint, and Teams — broad-brush rules applied through labels and policies.
docs365.ai operates at a finer grain, inside the Document Management libraries specifically, with governance tied to the document’s own lifecycle (created → approved → published → reviewed → archived) rather than to a tenant-wide label.
The two are complementary. Purview retention policies still apply to the underlying SharePoint storage. The product’s expiration-reminder and archive logic operate on top, aligned with how compliance-relevant documents need to be actively reviewed rather than passively retained. A customer using both gets tenant-wide compliance baseline from Purview and document-lifecycle control from the product.
What this looks like in practice — a DPO’s perspective
A DPO preparing for a biennial data-protection review wants to produce, for the supervisory authority:
- The current data-protection policy, with approval history showing who signed it off.
- The current breach-response runbook, with its last review date and owner.
- The DPIA for each high-risk processing activity, with version history showing how the risk assessment evolved.
- Evidence that these documents are reviewed on a defined cadence.
With docs365.ai:
- The public area of the data-protection library shows the current version of each document, with publication date.
- The audit log on each document shows who approved, when, in what role.
- The Power BI dashboard shows the review-cadence adherence: which documents are within their review window, which are due for review in the next 30/60/90 days, which are overdue.
- Archived versions are retrievable to show how policies evolved over time.
What is otherwise a multi-week evidence-gathering exercise becomes a morning of export and screenshot.
What the customer owns under GDPR
The product is a document-governance tool that supports GDPR-relevant activities. It is not a substitute for a DPO, a privacy program, a privacy-by-design practice, or the controller’s core obligations under GDPR. The controller owns:
- Lawful-basis decisions and records.
- Data-subject-rights response procedures.
- Cross-border transfer mechanisms.
- Processor-contract negotiation.
- Breach determination and notification.
What the product does is give the DPO a reliable, audited, current library of the documented information those obligations produce — policies, procedures, DPIAs, Records of Processing Activities.
FAQ
Does the product process personal data? The product is a document-management tool. If the documents it manages contain personal data, that data sits inside SharePoint Online in the customer’s Microsoft 365 tenant — under Microsoft’s GDPR-compliant infrastructure, with the customer as controller and Microsoft as processor. intranet.ai as a vendor does not access or process documents; we provide the software. For customers who need a formal DPA, one is available.
Is the product itself GDPR compliant? GDPR doesn’t apply to software products in the abstract — it applies to the processing of personal data. The software product is built to enable customers to meet their GDPR-relevant document-management obligations.
What about AGID archiviazione sostitutiva? AGID regulations are specific to the Italian public sector. The product does not currently have AGID-compliant substitutive archiving. Customers subject to AGID typically maintain a separate archival process for the documents that fall under those rules. This is an out-of-scope regulation for the English-first version of the site.
Can I use this for Records of Processing Activities (Article 30)? Yes — many customers do. The RoPA itself is documented information that benefits from versioning, approval, and periodic review.
Does the product help with data-subject-rights requests? Indirectly. The library’s search and metadata help locate relevant policy and procedure documents. The data-subject-rights process itself is outside the product’s scope.
Ready to align your data-protection library?
Book a free assessment — 30 minutes, no cost. We’ll walk through your current data-protection library (policies, DPIAs, RoPAs, response procedures) and identify where this product would change the shape of your evidence.
Related pages
- ISO 27001 document control → — information-security counterpart.
- ISO 9001 document control → — quality-management counterpart.
- Governance stage → — audit, versioning, expiration, archive.
- Expiration reminders → — the review-cadence mechanism.
Ready to align your GDPR documentation?
Thirty minutes. No cost. No obligation. We'll walk through your current library and identify where this product would change the evidence shape.