DPIA / AIPD Autopilot

The DPIA Autopilot generates a per-agent Data Protection Impact Assessment (GDPR Art. 35) combined with an AI Impact Assessment (EU AI Act Art. 9, 13, 14) from live Kaplaix evidence — signed, versioned, and bundled into a ZIP that any regulator can verify offline.

• Auto-filled — 7 CNIL sections + 3 EU AI Act sections populated from live sessions, policies, and the agent’s behavioural profile.
• Status-triaged — each section renders with an ok / attention / missing badge so the DPO can see at a glance what still needs manual input.
• Multi-signature — DPO, CISO, legal counsel, controller — each role signs its own Ed25519 signature on the same revision.
• Versioned — every regeneration creates a new revision; previous signed revisions remain queryable for the audit trail.
• Drift-aware — when the agent’s behavioural profile diverges from the baseline snapshot by more than the Hellinger threshold (0.15), an alert nudges the DPO to review.
• Multi-locale PDF — FR / EN / DE / ES / IT. Template is translated; IDs, dates and counts render as-is so the document is cross-referenceable.
• Offline verifiable — the bundled signatures are checkable against the public JWKS at /.well-known/kaplaix/witness-keys.json without any connection back to Kaplaix.

Generating a DPIA

Open Agents → {agent} → DPIA in the console.

• First visit creates the DPIA row in draft state.
• Click Generate revision to auto-fill the 10 sections from the agent’s last 30 days of evidence.
• Review each section — missing or attention badges flag fields the DPO should complete in the Manual fields panel (data controller, DPO contact, legal basis, proportionality, sub-contractors, etc.).
• Add annotations per-section to document reviewer notes — they carry forward into the next revision.

Signing

A DPIA only becomes binding once signed. Click Sign on the current revision and enter:

Each signature is independent. The same user cannot sign the same revision twice, but two different signers can both sign. Any signer can later revoke their own signature with a reason.

The signed bundle

Click Download signed ZIP to pull the bundle:

dpia-{agentId}-rev{N}.zip
├── dpia.pdf                — primary-locale PDF
├── locales/<loc>/dpia.pdf  — additional locales if requested
├── dpia.json               — full revision body
├── signed_payload.json     — canonical JSON fed into Ed25519
├── signatures.json         — active signatures with Ed25519 bytes
├── witness_keys.json       — public keys (JWKS)
├── README.txt              — offline-verify recipe
└── manifest.json           — per-file SHA-256, version dpia-bundle-1.0

The bundle is the artefact you share with a regulator. It is self-contained — no Kaplaix endpoint required to verify.

Divergence detection

When a revision is generated, the agent’s behavioural profile is snapshotted into the evidence annex as three categorical distributions (event category, tool type, operation). The watcher recomputes the live distribution on demand and measures the maximum Hellinger distance across the three dimensions. Above 0.15 — the “meaningful drift” band agreed with the risk team — a dna_divergence alert is inserted.

Trigger the watcher:

• From the console → Alerts → Check divergence.
• Or programmatically: POST /v1/agents/{id}/dpia/check-divergence.

Alerts are idempotent — an existing unacknowledged alert will not duplicate. Acknowledging does not silence future checks; it just clears the current alert.

Permissions (RBAC)

REST API

All routes are tenant-scoped via the usual Authorization: Bearer <api_key> header.