Data Protection Impact Assessment (Art. 35)
A DPIA is the structured analysis we run to identify and mitigate risks before they happen. Because Buronia processes special-category data and uses AI, GDPR Art. 35 explicitly requires one. Below is the public summary; the full 30-page document is available to controllers and supervisory authorities under NDA.
Effective 2026-04-30. Scheduled review every 12 months or on substantial change.
Scope of the assessment
- Wizard-driven collection of identifying, financial, and (for some benefits) health data.
- Buronia draft generation (Anthropic Claude API).
- OCR of uploaded documents.
- Stripe-mediated payment.
- Email-based authentication and notification.
- Cross-country deployment (DE, ES, FI, LT today).
Necessity & proportionality
Each data field collected has a documented purpose tied to a benefit's official application. We do not collect data "in case it's useful later." The wizards are tested against the official forms so the field set matches what the authority will actually ask for.
Risks identified
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Disclosure of health data via Buronia prompt | Low | High | Sensitive fields (national ID, IBAN, exact income) are tokenised before being sent to Buronia; tokens are substituted client-side after payment. Anthropic Zero-Data-Retention contract prevents training-data leakage. |
| Account takeover via leaked email | Low | Medium | Magic-link sign-in with single-use tokens; httpOnly session cookies; rate-limited login. |
| Unauthorised database access | Very low | High | Encryption at rest (AES-256-GCM); least-privilege IAM; audit logging on every query touching personal data. |
| OCR misclassification leaking sensitive doc to wrong account | Very low | High | Uploads are namespaced by SHA-256; access requires authenticated user-id match. |
| AI hallucinating a legal claim | Medium | Medium | Drafts shown to user for review before submission; legal disclaimers; human-in-the-loop submission to authority. |
| Sub-processor breach | Low | High | SCC + supplementary measures; sub-processor minimisation; 72-hour breach process. |
| Adverse impact on vulnerable applicants from a denied benefit | Medium | Medium | Refunds for unusable drafts; clear disclaimer that we don't decide eligibility; links to free official help. |
Residual risk
After all mitigations, residual risk is rated low across all categories. The DPO reviews this rating annually or on a substantial change (new benefit category, new sub-processor, new country).
Consultation with supervisory authority
Where the residual risk after mitigations would still be high, Art. 36 obliges us to consult the lead supervisory authority before processing. We have not crossed that threshold for any processing operation to date.
Requesting the full DPIA
Email dpo@buronia.com. Supervisory authorities receive the unredacted document on request without conditions.