Privacy and GDPR#
Relevant controls: PD.01.14, PD.01.15, PD.01.17, PD.01.18
1. Personal Data Processed#
Personal data is any information relating to an identified or identifiable natural person. The AI connectors platform processes personal data in two ways: (1) passing through Microsoft Graph API response data in-memory to the calling AI assistant, and (2) recording user identity in audit logs.
| MCP | Personal data types | Purpose | Legal basis |
|---|---|---|---|
| SharePoint MCP | User display names, email addresses (file metadata, permissions lists) | Enable search and retrieval of SharePoint documents and sites on behalf of the authenticated user | Legitimate interests (employee productivity tooling within NN) |
| Outlook MCP | Email addresses, message subjects and bodies, calendar events (titles, attendee lists, locations) | Enable email and calendar access on behalf of the authenticated user | Legitimate interests (employee productivity tooling within NN) |
| Teams MCP | User display names, message content (channel and chat messages), channel membership, meeting metadata | Enable Teams search and retrieval on behalf of the authenticated user | Legitimate interests (employee productivity tooling within NN) |
| Databricks MCP | Query results may contain personal data depending on the dataset queried | Enable Databricks workspace access on behalf of the authenticated user | Legitimate interests (data analysis tooling within NN) |
| All MCPs (audit logs) | Azure AD object ID (user_oid), user principal name / email address (user_upn), tool call parameters (which may include names or email addresses as search terms) |
Security audit trail — tracing tool usage to individuals for accountability and incident investigation | Legitimate interests (security monitoring and accountability) |
Key distinction: Graph API response content (email bodies, document text, Teams messages) is processed in-memory only and never persisted by the platform. Only the audit metadata (who called what tool, with what parameters, with what outcome) is retained.
2. Data Retention and Deletion#
Retention periods and deletion mechanisms for all data types are defined in data-storage-encryption.md and logging-monitoring.md.
Individual erasure (GDPR Art. 17): Because Graph API response data is never persisted, there is no platform-side content to erase on a data subject request. Audit log records contain user identity and are retained for 365 days for security purposes; erasure of audit records is not feasible without compromising the integrity of the security audit trail. This should be documented in the platform's Record of Processing Activities (RoPA).
Account offboarding: When a Novo Nordisk employee is offboarded, their Azure AD account is disabled centrally by NN IT. This immediately invalidates all active tokens, including any cached OBO tokens in DynamoDB (which also expire naturally within ~1 hour). No platform-level action is required.
3. Data Protection Appendix (DPA)#
| Processor | DPA in place? | Reference | Notes |
|---|---|---|---|
| Amazon Web Services | Yes | AWS Data Processing Addendum (part of AWS Customer Agreement) | Covers all AWS services used in eu-central-1; NN is data controller; AWS is data processor |
| Microsoft (Azure AD + Graph API) | Yes | Microsoft Product Terms / Data Protection Addendum (DPA) | Covers Azure AD identity services and Microsoft 365 Graph API; NN is data controller |
| Snyk | Yes | Snyk Data Processing Agreement | Code snippets sent to Snyk EU API for SAST/SCA; minimal personal data exposure |
4. Cross-Border Data Transfers#
| Transfer | Destination | Within EU/EEA? | Legal basis / Safeguards |
|---|---|---|---|
| Platform data (audit logs, token cache, secrets) → AWS | eu-central-1 (Frankfurt, Germany) |
Yes | EU region; no transfer outside EEA |
| User authentication → Azure AD token endpoint | Microsoft eu region (Azure AD EU tenant) |
Yes | NN's Azure AD tenant is hosted in EU; Microsoft EU data boundary |
| Graph API calls (email, calendar, SharePoint, Teams content) → Microsoft Graph | Microsoft eu region |
Yes | NN's Microsoft 365 tenant data is stored and processed in the EU |
| Source code (PR snippets) → Snyk | Snyk EU API (api.eu.snyk.io) |
Yes | Snyk EU infrastructure; DPA includes SCCs as fallback |
| Databricks workspace data → Azure Databricks | Azure region of the specific workspace | Depends on workspace region | NN IT controls Databricks workspace data residency |
No personal data is transferred to non-EU/EEA countries without an appropriate legal basis. All critical suppliers maintain EU-region infrastructure for NN data.
5. Data Breach Response#
Follow the incident response procedure in incident-response.md for detection, evidence preservation, containment, escalation, and GDPR notification steps.
6. Privacy by Design#
Privacy by design is implemented through the platform's architecture. The relevant controls are covered in their respective documents:
- Data minimisation, storage limitation, purpose limitation — audit log design in logging-monitoring.md
- User-scoped access (OBO flow), minimum API scopes — access-management.md and architecture-data-flow.md
- Sensitivity-based content filtering — data-storage-encryption.md
- Encryption and access control — data-storage-encryption.md and access-management.md
- No third-party AI training — the platform returns Graph API data to the calling AI client only; no data is independently forwarded to any AI provider