NIS2 and GDPR compliance
VaultPAM is designed as compliance infrastructure for EU organisations subject to NIS2 and GDPR. This article maps VaultPAM capabilities to the specific requirements that apply to privileged access management.
NIS2 Article 21
NIS2 Directive Article 21 requires organisations to implement appropriate and proportionate technical and operational measures to manage risks. The table below maps the specific measures to VaultPAM capabilities.
| NIS2 Article 21 requirement | VaultPAM capability | Where to configure |
|---|---|---|
| Multi-factor authentication for all privileged access | MFA enforcement policy; supports TOTP and hardware keys | Organisation settings > Security > MFA enforcement |
| Logging and monitoring of privileged sessions | Full session recording with audit trail; every action is logged | Admin > Audit log |
| Access control and least privilege | Safe-level access policies; Just-in-Time (JIT) grants; approval workflows | Policy engine > Creating policies |
| Incident response and audit trail | Tamper-evident audit log with CSV export; session recordings as forensic evidence | Admin > Audit log > Export CSV |
| Supply chain security | Connector isolation; each connector has a scoped token; compromised connectors can be revoked | Admin > Connector management |
GDPR privileged access obligations
GDPR imposes obligations on the controllers and processors of personal data. Privileged access to systems holding personal data must be controlled and evidenced.
Article 32 -- Technical and organisational measures
VaultPAM satisfies Art. 32 by providing encryption of credentials at rest (via OpenBao secrets engine), encrypted session recordings, MFA enforcement, and a complete audit trail of all privileged access events.
Article 5(1)(f) -- Integrity and confidentiality
The integrity and confidentiality principle (Art. 5(1)(f)) requires that personal data is processed in a manner that ensures appropriate security. VaultPAM enforces this at the infrastructure level: credentials are never exposed in plaintext in the UI after checkout, sessions are recorded and auditable, and access policies prevent unauthorised users from reaching protected resources.
Article 30 -- Records of processing activities
VaultPAM's audit log provides a continuous record of who accessed which system, when, and for how long. This log can be exported as CSV and used as evidence in your Art. 30 records of processing activities (ROPA). The audit log is tamper-evident and retained for a configurable period (default: 90 days).
Data residency
For SaaS deployments, all tenant data is stored exclusively in GCP europe-central2 (Warsaw, Poland). Data does not leave the EU. This satisfies the data residency requirements of GDPR and NIS2 for EU-based organisations.
To receive written confirmation (for example, for a Data Transfer Impact Assessment), request a Data Processing Agreement (DPA) from support@vaultpam.com. The DPA specifies the processing region and sub-processors.