GDPR TLS Audits
Article 32 Evidence Before a DPA Inspection

GDPR Article 32 requires “appropriate technical measures” including encryption, and regulators are interpreting this concretely. CNIL fined Doctissimo €280,000 specifically for HTTP endpoints handling personal data. Weak TLS isn’t just a finding; it’s the fact pattern enforcement actions are built on. SSLBoard gives you the evidence that Art. 32 is met, or identifies the gaps before a DPA inspection does.

One scan covers the requirements that matter

Enter a domain and SSLBoard discovers every hostname and TLS endpoint across your infrastructure using Certificate Transparency logs and active server probing. Each finding maps to Art. 32:

  • Article 32, state-of-the-art encryption: Full TLS version and cipher suite analysis across every endpoint. TLS 1.0, TLS 1.1, SSL, and weak cipher suites fall below the “state of the art” standard Article 32 mandates. Enforcement precedent from multiple DPAs exists for exactly these findings.
  • Article 32, HTTPS enforcement: HTTP endpoints serving personal data are a direct enforcement risk. CNIL’s Doctissimo fine established that unencrypted HTTP is an Art. 32 violation. Every HTTP endpoint and redirect chain is identified and flagged by severity.
  • Article 32, browser-side protections for personal data: Security headers, including CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and secure cookie attributes, protect personal data at the browser layer. Weak or missing headers undermine the technical measures Article 32 requires and are a documented DPA risk.

What DPA investigations actually look like

DPA investigations usually start with a complaint. When a regulator sends a technical questionnaire, the questions are about exactly what this report covers: which protocols are in use, which endpoints were reachable, whether HTTP was serving personal data.

CT logs are a public record of every certificate ever issued for your domain. If a forgotten subdomain was collecting data unencrypted, it’s findable, and regulators know how to look.

The Doctissimo fine wasn’t the result of a complex breach investigation. It was about HTTP. The evidence was right there on the public internet.

From scan to evidence

  1. Enter the apex domain. SSLBoard finds every hostname and probes every TLS endpoint.
  2. The summary report shows your TLS score and a ranked list of every issue found. It’s free.
  3. Unlock the full report for host-level detail. Download CSV data or share a link with your DPO or legal team.

The full report covers certificate chains, issuer distribution, protocol versions, cipher suites, key strength, HSTS status, OCSP revocation, security headers, and adjacent-domain discovery, all mapped to specific hostnames and IP:port combinations.

Fits the compliance workflow

Share a link with your DPO, external counsel, or the team handling an Article 33 notification. No screenshots to assemble, no data to pull manually.

The scan handles multi-brand, multi-region operators the same as single-domain sites. Results are ready in seconds.

One email confirmation unlocks the full report. Send the same link to everyone who needs to review it.

Info

Need to see what the report looks like for your domain? Run a free scan — the summary report is instant, and the full report unlocks after email confirmation.

Run a free scan Read the FAQ