NSAuditor AI Enterprise 0.20.0 — GDPR Article 32 Substrate, the Seventh Framework (and Why It Is Not “GDPR Compliance”)

MobNS

NSAuditor AI Enterprise — seven compliance frameworks: SOC 2, HIPAA, NIST CSF 2.0, PCI DSS, ISO 27001, CIS Controls v8, and GDPR Article 32

NSAuditor AI Enterprise 0.20.0 is now live on npm, paired with Community Edition 0.2.11 and agent-skill 0.2.11. It adds GDPR Article 32 (Security of Processing) as the seventh compliance framework — alongside SOC 2, HIPAA, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Controls v8.

The most important sentence in this release is a disclaimer. GDPR is a 99-article legal regime, and Article 32 — security of processing — is the only article whose evidence is technical infrastructure state. Everything else GDPR governs — lawful basis (Art. 6), consent (Art. 7), data-subject access requests (Arts. 12–23), records of processing (Art. 30), DPIAs (Art. 35), international transfers (Arts. 44–49) — is operator-side legal and process discipline, out of scope for an infrastructure scanner by design. So this release ships GDPR Article 32 infrastructure substrate only — not “GDPR compliance.” An infrastructure scanner cannot certify GDPR compliance, and the product does not claim to.

The seventh matrix

EE 0.20.0 maps Article 32 into 4 covered + 5 partial + 2 out-of-scope = 11 Art. 32 sub-measure units. Covered: encryption-at-rest, encryption-in-transit, confidentiality, availability. Partial: integrity, resilience, restore-capability, testing-effectiveness, instruction-bound-processing. The two out-of-scope units are pseudonymisation (a data-model decision with no infrastructure substrate) and the Art. 32(2) risk assessment (an operator-side process — the analog of HIPAA’s §164.308(a)(1)(ii)(A) Risk Analysis). The 11 units are the substrate-evidenceable decomposition of Article 32 alone, not the totality of “appropriate technical and organisational measures” — Article 32 is explicitly “inter alia.”

The disciplines that keep it honest

This framework carries more legal exposure than any prior one, so five disciplines are built into the engine and surfaced in every report. Four-factor proportionality: Article 32 measures are “appropriate to the risk,” weighing state of the art, cost of implementation, the nature and scope of processing, and the risk itself — so nothing is a bare pass/fail, and every finding is framed as substrate for the operator’s own proportionality determination. Personal-data-scope attestation: the scanner cannot know which resources actually hold personal data, so an unencrypted bucket is an Article 32 concern only if it processes personal data — every control carries that caveat and pairs with the operator’s Article 30 records of processing. Controller-vs-processor applicability plus Article 28 processor-agreement framing. The Art. 83(4) lower fine tier: Article 32 infringements sit in the lower enforcement tier — up to €10 million or 2% of worldwide annual turnover — not the €20 million / 4% Art. 83(5) headline tier reserved for the basic principles and data-subject rights; no surface overstates fine exposure. And Art. 32(3) / Art. 42 certification-inheritance: a cloud provider’s ISO 27001 / SOC 2 / C5 adherence is surfaced as a demonstrable-compliance element for provider-controlled substrate, never a substitute for the operator’s own measures.

A mapping-layer cycle

The six existing matrices are unchanged, the plugin count is unchanged at 28, and the regression suite holds. This release teaches the existing engine to route existing plugin findings to a new framework — not a new detection surface. The cycle also closed two pre-existing fleet-wide false-cleans behind a new self-defending guard: an S3 object-ACL evidence-gap that was unrouted across five frameworks, and an account-wide Azure-storage evidence-gap that was unrouted across seven.

The posture that runs through the whole release: the most dangerous thing a compliance tool can do is overclaim, and a “GDPR compliant” verdict from an infrastructure scanner would be exactly that. EE 0.20.0 speaks only to the one GDPR article that is technical infrastructure state, names its proportionality and personal-data-scope limits in every report, pins the correct lower fine tier, and hands the operator scope-careful substrate to take into their own Article 32 determination — nothing more, and nothing overstated.

NSAuditor AI Enterprise covers AWS, Azure, and GCP across seven compliance frameworks with a Zero Data Exfiltration architecture — no scan data, credentials, or regulated data ever leave the operator’s infrastructure. Learn more at the GDPR Article 32 documentation and the Enterprise page.

Related Posts:

  • nsauditor-ai-ee-094-hipaa-hhs-ocr-enforcement-priorities
  • nsauditor-ai-ee-0-10-0-nist-csf-mobns
  • nsauditor-ai-ee-0-12-0-iso-27001-introduction
  • nsauditor-ai-ee-0-13-0-cis-controls-v8
  • nsauditor-ai-ee-0-15-6-compliance-mapping-correctness