DenchClaw and GDPR: Compliance Made Easy

How DenchClaw's local-first architecture helps with GDPR compliance—data residency, right to erasure, consent tracking, data minimization, and processor relationships.

Mark Rachapoom

March 26, 2026·8 min read

GDPR compliance for a SaaS CRM is a multi-layered problem. Your data lives in their cloud. Their sub-processors (cloud storage, analytics, support tools) touch your data. You need a DPA (Data Processing Agreement) with every vendor in the chain. And when a customer asks "delete all my data," you're dependent on the vendor's export and deletion tooling.

DenchClaw's local-first architecture fundamentally simplifies this. Your data lives in DuckDB on your machine. There are no sub-processors touching your customer data by default. When you need to delete a record, you delete a row in a local SQL database.

This doesn't mean GDPR is zero-work with DenchClaw — the regulation applies to how you process personal data, not just where you store it. But the local-first model removes the most complex compliance challenges.

Note: This article provides general guidance for how DenchClaw's architecture relates to GDPR principles. It is not legal advice. Consult a qualified legal professional for compliance advice specific to your situation.

GDPR applies when you process personal data of EU residents. "Processing" includes storing, accessing, using, and deleting personal data — the entire lifecycle.

Key principles:

Lawfulness, fairness, transparency — Have a legal basis for processing
Purpose limitation — Collect data for specified purposes
Data minimization — Only collect what you need
Accuracy — Keep data up to date
Storage limitation — Don't keep data longer than needed
Integrity and confidentiality — Protect data from unauthorized access
Accountability — Demonstrate compliance

A cloud SaaS CRM creates complications at nearly every level: your data is in their jurisdiction, their servers, their cloud provider's servers. With DenchClaw running locally, you control the entire stack.

Data Residency: The Core Advantage#

For EU-based businesses (or businesses with EU customers), data residency is a primary GDPR concern. Personal data processed in the EU should generally stay in the EU.

With DenchClaw running on your EU-based machine or server: all personal data stays in the EU by default. You don't need a vendor DPA for the CRM itself. You're the controller and processor simultaneously.

The outbound traffic that requires attention:

AI model calls: When you query the agent with customer context, that context goes to your configured AI provider (Anthropic, OpenAI). For EU compliance, review the provider's data processing terms and ensure EU data handling commitments are in place. Anthropic and OpenAI both offer commercial agreements with EU data handling provisions.
Telegram/WhatsApp: Personal data in messages may transit through their servers. Avoid sending full customer records through messaging channels; use them for commands and confirmations.

Right to Erasure (Right to Be Forgotten)#

Under GDPR Article 17, data subjects can request deletion of their personal data. DenchClaw makes this operationally straightforward.

Deleting an Individual Record#

"Delete all data for Sarah Chen: remove her people entry, all associated entry fields, her entry document, and any email addresses associated with her from the system. Confirm when complete."

The agent runs the DELETE queries:

-- Delete entry and all associated data
DELETE FROM entry_fields WHERE entry_id = ?;
DELETE FROM documents WHERE entry_id = ?;
DELETE FROM entries WHERE id = ?;

Because the data is local DuckDB, the deletion is complete and immediate. There's no backup retention by a third-party vendor, no CDN cache of the record, no analytics system that retains a copy.

Tracking Erasure Requests#

Add a gdpr_requests object to your DenchClaw workspace:

name: gdpr_requests
fields:
  - name: Data Subject Name
    type: text
  - name: Email
    type: email
  - name: Request Type
    type: enum
    options: [Erasure, Portability, Access, Rectification, Objection]
  - name: Received Date
    type: date
  - name: Response Due Date
    type: date
  - name: Status
    type: enum
    options: [Received, In Progress, Complete, Denied with Reason]
  - name: Notes
    type: richtext

GDPR requires responding to erasure requests within 30 days. The agent alerts you when a response is due:

"Alert me 5 days before any GDPR request Response Due Date if the status is still 'Received' or 'In Progress'."

Handling Backups#

If you back up your DuckDB file (which you should), you need a policy for backup deletion. Options:

Encrypted, time-limited backups: Keep backups for 30 days maximum, then auto-delete. When a deletion request arrives, delete from live database immediately; the backup will expire within 30 days.
Track deletion in a log: Maintain a deleted_subjects log. Backups are not restored without checking this log first; if a backup is restored, immediately re-apply deletions.

Right to Data Portability#

Under GDPR Article 20, data subjects can request their personal data in a portable format.

Exporting an individual's data from DenchClaw:

"Export all data for John Smith: his people entry, all field values, his entry document, and any linked company data. Format as JSON and CSV."

The agent generates:

A JSON file with all field data
A CSV for importing into another system
The markdown document as a text file

Because it's DuckDB, this query runs in milliseconds for any individual record.

If you're storing personal data based on consent (not legitimate interest or contract), you need to track that consent.

Add consent fields to your people object:

fields:
  - name: Marketing Consent
    type: text  # boolean stored as text
  - name: Consent Date
    type: date
  - name: Consent Method
    type: enum
    options: [Form, Email, In Person, Verbal, Other]
  - name: Consent Notes
    type: richtext
  - name: Opt-Out Date
    type: date

When someone opts out, update their record immediately:

"Update Sarah Chen: set Marketing Consent to 'false', Opt-Out Date to today, Consent Notes to 'Unsubscribed via email link March 25'"

Create a view for your marketing outreach that filters to only consented contacts:

- name: Consented for Marketing
  filters:
    - field: Marketing Consent
      operator: equals
      value: "true"
    - field: Opt-Out Date
      operator: is_empty

Data Minimization#

GDPR requires you to collect only data you actually need. DenchClaw's flexible schema makes this easy: you define the fields, so you only create fields for data you have a legitimate purpose for.

Periodic audit:

"Show me all fields defined in my people and company objects. Flag any fields with fewer than 20% of entries filled in — those might be data we're collecting but not using."

The agent queries the field fill rates and lists candidates for removal. Removing unused fields removes unnecessary data collection — good for compliance and good for CRM cleanliness.

Data Processor Relationships#

Under GDPR, if you use DenchClaw on behalf of your own customers (e.g., you're an agency managing a client's CRM data), you're a data processor for your client who is the controller.

In this scenario:

You need a DPA with your client specifying what data you process and how
Your DenchClaw workspace (containing their customer data) must be secured accordingly
Access should be limited to staff who need it for the client's work

The local-first architecture helps here: each client's data can live in a separate DenchClaw profile (or separate DuckDB file), reducing the risk of cross-client data exposure.

Frequently Asked Questions#

DenchClaw's architecture is GDPR-friendly, but compliance depends on how you use it. You need to have a lawful basis for the personal data you store, respond to data subject requests, protect the data appropriately, and understand your processor relationships. The tool doesn't make you compliant automatically — it makes compliance significantly more manageable.

Do I need to register DenchClaw as a data processor with any authority?#

If you're processing personal data of EU residents in the context of a business activity, you likely need to maintain a Record of Processing Activities (ROPA) under GDPR Article 30. DenchClaw would be listed as an internal processing tool. Whether you need to register with a supervisory authority depends on your jurisdiction and the nature of your processing.

What happens to my data if DenchClaw (the company) ceases operations?#

Nothing happens to your data — it's local. The DenchClaw software is MIT licensed and open source. If the company stopped operating, you'd still have a working CRM, all your data, and the full source code. There's no cloud dependency that would take your data down with it.

Ensure the server is in an appropriate jurisdiction (EU for EU data), access is properly secured (see the security guide), and only authorized team members have access. Treat the DuckDB file as you would a sensitive database — encrypted at rest, access-logged, backed up securely.

Ready to try DenchClaw? Install in one command: npx denchclaw. Full setup guide →