Data Protection Impact Assessment Guide for Clients

Version: 1.0
Last updated: 12. september 2025

1. Purpose of this document

This document is provided to help Convier clients and their GDPR, legal, and compliance teams perform their own Data Protection Impact Assessment (DPIA) when using the Convier platform.

Convier itself does not act as a data controller or processor for client data when the platform is deployed in the client’s own infrastructure. Clients remain responsible for performing a DPIA under GDPR Article 35. This guide outlines the types of data that may be processed, the risks involved, and the safeguards built into Convier to support privacy by design.

2. Scope

The Convier platform is an analytics and investigation tool used by financial institutions and regulated entities to comply with Anti-Money Laundering (AML) requirements.

  • Deployment model: The platform is installed in the client’s private cloud or on-premise infrastructure.
  • Storage: Convier (the platform) does not permanently store customer data. All data remains in the client’s own data stores.
  • Responsibility: Clients act as controllers (and in some cases processors) of the personal data they load into Convier.

3. Categories of personal data that may be processed

The types of personal data processed in Convier depend entirely on client configuration and data sources. Typical examples include:

  • Customer data: name, date of birth, national ID number, address, citizenship, KYC data, related parties, beneficial ownership information.
  • Transaction data: account numbers, transaction descriptions, amounts, currencies, counterparties, timestamps.
  • Alert/case data: case IDs, flagged activities, scenario details.
  • User data: usernames, IP addresses, log-in timestamps, activity logs (for auditability).

Clients decide which categories of personal data to process in Convier and remain responsible for ensuring that processing is lawful under GDPR. In practice, the processing carried out in Convier typically mirrors and supports the workflows clients already use for KYC and AML compliance (e.g., customer due diligence, transaction monitoring, and alert investigation).

4. Processing activities supported by Convier

The platform enables clients to:

  • Retrieve and contextualize customer and transaction data for flagged alerts.
  • Automate parts of the AML investigation workflow.
  • Document case handling and export Suspicious Activity Reports (SARs).
  • Maintain audit trails of user activity.
  • Configure analytics and monitoring patterns.

5. Risks identified

The main risks in relation to personal data processing when using Convier are:

  • Unauthorized access to customer or transaction data (if access controls are not properly configured by the client).
  • Excessive or unnecessary data ingestion, if the client configures Convier to retrieve more data than required.
  • Retention risks, if reports or audit logs are kept longer than necessary, or if they are not properly stored in line with the client’s security and compliance requirements
  • Human error during investigation, leading to incorrect or disproportionate processing.
  • Unauthorized or inappropriate access (“peeking”) – Users may attempt to look up customer information that is not relevant to an active investigation or due diligence case, driven by curiosity rather than compliance obligations.

6. Safeguards and privacy by design features

Convier is built to minimize risks through privacy by design and by default:

  • No storage of client data – The platform does not retain customer data itself. All data is stored only in the client’s existing data stores, ensuring reuse of the client’s own storage policies and retention/deletion procedures.
  • Client-controlled deployment – Runs entirely in the client’s infrastructure (private cloud or on-premise).
  • Authentication via client systems – Convier integrates with the client’s existing identity and access management (e.g. Microsoft Active Directory, Entra ID, Keycloak). This ensures enforcement of the client’s access policies, password rules, and multi-factor authentication.
  • Encryption – Supports AES-256 at rest and TLS 1.2+ in transit, aligned with industry standards.
  • Audit logging and accountability – All user activity in Convier is logged, including searches, views, and actions. Logs can be reviewed by the client to detect inappropriate access attempts.
  • Role-based access controls (RBAC) – Access to specific datasets and functions can be restricted to ensure users only see data necessary for their role.
  • Data minimization – Only the data configured by the client for AML analysis is processed.

7. Residual risks

While Convier reduces many risks, some responsibilities remain with the client:

  • Ensuring lawful basis for processing (e.g. compliance with AML legislation, GDPR Article 6(1)(c)).
  • Defining what personal data is retrieved and processed.
  • Managing user access rights and segregation of duties.
  • Actively monitoring audit logs and enforcing disciplinary measures to prevent and respond to inappropriate access (“peeking”).
  • Setting retention policies that comply with AML and GDPR requirements.

8. Conclusion and recommendations

The Convier platform is designed to support GDPR compliance by minimizing data storage, integrating with existing client systems, and giving clients full control of their environment.

When conducting their own DPIA, clients should:

  • Document the lawful basis for AML-related data processing.
  • Assess the categories of personal data they configure Convier to process.
  • Review their internal access controls and retention policies.
  • Incorporate Convier’s safeguards into their DPIA as technical and organizational measures.