Data Privacy
Agile Lab values the privacy of your data and understands its importance to your organization and your customers. Witboost is architected to help you comply with privacy laws and meet regulatory requirements.
Privacy by Design
Witboost follows GDPR Article 25 — Data Protection by Design and by Default:
- Privacy impact assessments are conducted during product development
- Data minimisation is a core architectural principle
- The platform processes only the minimum metadata necessary for governance operations
- Privacy controls are enabled by default, not as optional add-ons
Privacy by Design Documentation
Control-Plane Architecture = Privacy by Architecture
Witboost's most powerful privacy feature is its architecture:
| What Witboost Handles | What Witboost Does NOT Handle |
|---|---|
| Data product descriptors | Customer's actual data content |
| Schema definitions | Personally identifiable information (PII) |
| Governance policies | Transaction or business data |
| Deployment templates | Data lake / warehouse content |
| Lineage metadata | Files, documents, or media |
| Access control rules | Analytics or reporting data |
Result: Even with full platform access, it is architecturally impossible to access customer data content through Witboost.
No Personal Data Processing
In a standard deployment:
- Witboost does not process personal data belonging to the customer's end users
- The only personal data Witboost handles is platform user identities (usernames, email addresses) sourced from the customer's identity provider
- Personal data retention for platform users is managed by the customer through their IdP
Data Subject Rights
Since personal data remains within customer systems:
- Data subject requests (access, rectification, erasure, portability) are primarily handled by the customer through their own data infrastructure
- Witboost can assist by providing audit logs showing who accessed which metadata
- Platform user data (account information) can be deleted upon request through the customer's IdP
Data Protection Impact Assessment (DPIA)
Agile Lab supports customers in conducting DPIAs by providing:
- Architecture documentation detailing data flows
- Security control descriptions
- Sub-processor information
- Technical and organisational measures documentation
Automated Decision-Making
Witboost does not perform automated decision-making or profiling of individuals as defined under GDPR Article 22. The platform's governance engine applies policy rules to metadata (data product descriptions, schemas, deployment configurations) — never to personal data of data subjects.
When AI features (Witty) are enabled, they provide suggestions only — every AI output requires explicit human review and approval before taking effect.
Cross-Border Data Transfers
In a standard on-premises deployment:
- No customer data is transmitted outside the customer environment
- No metadata, identifiers, or any data is transmitted to Agile Lab or any external service
- Agile Lab can contractually commit that no data transfers to third countries take place as part of Witboost platform operation
If the optional AI copilot is enabled, LLM calls are routed to the customer's own AI service subscription within the customer's chosen cloud region.