Data Protection Impact Assessment template
Last updated: 2026-05-04
Pre-built template for your internal DPIA review.
DPIAs are mandatory under GDPR Article 35 for high-risk processing. This template is the section-by-section structure your Data Protection Officer can attach to the internal DPIA, populated with Mycelium’s processing details. Send to privacy@myceliumai.co for the editable Markdown and DOCX versions.
1. Description of processing
- Nature: typed memory ingestion, deterministic routing, and write-back into a per-tenant vault.
- Scope: per-tenant vault under JWT scope, with bi-temporal lookup over the typed graph.
- Context: B2B SaaS to Fortune 100 enterprises adopting AI agents internally.
- Purpose: give AI agents persistent organizational memory that survives session boundaries, model swaps, and team turnover.
2. Necessity and proportionality
- Lawful basis: Article 6(1)(b) contract with the controller, and Article 6(1)(f) legitimate interests where the customer is the controller.
- Data minimization commitment: only the memory the customer ingests is processed. No profile enrichment from outside sources, no cross-tenant inference, no third-party data brokerage.
- Compatibility of purposes: memory is used only as the customer instructs. No secondary use. No training on customer data without explicit, written, per-tenant opt-in.
3. Risk identification
| Risk | Likelihood | Severity |
|---|---|---|
| Unauthorized access to a tenant's memory | Low (JWT scope + per-tenant vault root + RBAC) | High |
| Audit-log tampering | Very Low (Git history + transaction log + admin replay endpoint) | High |
| Subprocessor disclosure | Low (DPA + 30-day notice + customer veto) | Medium |
| Data subject access request handling | Low (Markdown vault is human-readable) | Medium |
| Cross-border transfer | Low (SCCs Module Two) | Medium |
4. Risk mitigations
Each mitigation maps back to a row in Section 3:
- Technical: JWT scope, HMAC-validated webhooks, RBAC, AES-256 at rest, TLS 1.3 in transit, immutable Git history, per-tenant SSE event stream.
- Operational: incident response within one business hour, access reviews quarterly, backup restore drills quarterly.
- Contractual: DPA, BAA, SCCs Module Two, customer veto on subprocessors with 30-day notice.
5. Residual risk and approval
After applying the mitigations in Section 4, the residual risk on each row in Section 3 is acceptable for the controller’s described processing. This is the customer’s sign-off, not Mycelium’s.
Sign-off
Controller name: ____________________________________________
DPO name: ___________________________________________________
Date: _______________________________________________________
Signature: __________________________________________________
6. Consultation
Record any consultation with your Data Protection Officer, your supervisory authority, or affected data subjects in the rows below.
- DPO consultation: date, names, outcome
- Supervisory authority consultation (if required under Article 36): date, outcome
- Data subject consultation (if applicable): method, sample size, outcome
The editable Markdown and DOCX of this template is sent to privacy@myceliumai.corequests within one business day. Mycelium does not store the customer’s completed DPIA on our infrastructure.
Mycelium · founded 2026