GDPR Article 32 alignment

Run the GDPR Article 32 alignment check

What middleBrick covers

  • Black-box scanning with no agents or code access
  • Risk scoring and prioritized findings
  • Detection of exposed PII and API key patterns
  • Authentication support for Bearer, API key, Basic, and Cookie
  • Mapping findings to GDPR Article 32 and OWASP API Top 10
  • CI/CD integration with GitHub Action gates

What GDPR Article 32 requires for API security

GDPR Article 32 centers on the security of processing, emphasizing confidentiality, integrity, and availability of personal data. For APIs, this translates to implementing appropriate technical and organizational measures such as access control, encryption in transit and at rest, logging, and regular testing of security measures. Personal data exposed through an API, such as email addresses, names, or other identifiers, must be protected against unauthorized access or accidental loss.

Organizations often misunderstand the scope of Article 32, treating it as a checklist of technologies rather than a risk-based approach. Controls must be proportional to the risk level of the data and processing activities. An API that exposes PII without proper safeguards can constitute a security failure, regardless of whether an incident has occurred yet.

Common gaps when Article 32 is treated as compliance theater

Treating Article 32 as a documentation exercise leads to significant exposure. Teams implement perimeter defenses and access logs but overlook API-specific risks such as broken object level authorization, excessive data exposure, and insecure direct object references. Without continuous testing, these gaps remain undetected until exploited.

Another common mistake is relying on network isolation or VPNs as sufficient protection. APIs are often exposed to the internet for integration, and authentication or authorization flaws in these endpoints provide a direct path to personal data. Error messages that reveal stack traces or internal identifiers further undermine confidentiality and integrity objectives.

A practical workflow for API security aligned to Article 32

A robust workflow begins with inventory and classification of APIs that process or expose personal data. Each API should be mapped to the data flow, identifying where PII enters, is transformed, and is stored. Security controls are then applied and verified, including authentication, authorization, input validation, encryption, and logging.

Testing should be continuous and layered. Start with non-intrusive scans to identify misconfigurations and common vulnerabilities. Follow up with targeted manual review for business logic and sensitive endpoints. Findings should be tracked over time, with remediation prioritized by risk to data subjects. Evidence from testing supports accountability and demonstrates due diligence under Article 32.

curl -s -X GET "https://api.example.com/v1/users/me" \
  -H "Authorization: Bearer <token>" \
  -H "Accept: application/json"

What middleBrick covers out of the box

middleBrick is a black-box API security scanner designed to surface findings aligned to GDPR Article 32 objectives without requiring code access or agents. Submit a URL and receive a risk score with prioritized findings across authentication, authorization, data exposure, and input validation. The scanner operates read-only, using GET and HEAD methods plus text-only POST for LLM probes, ensuring no destructive payloads are sent.

It detects exposed PII patterns such as email addresses and context-aware SSNs, identifies API key leakage, and validates security headers and HTTPS configurations. The tool maps findings to relevant frameworks, helping you prepare evidence for audits and support controls described in GDPR Article 32. For authenticated scans, domain verification ensures only the domain owner can submit credentials, and header forwarding is limited to trusted identifiers.

Limitations and complementary practices

middleBrick detects misconfigurations and common vulnerability patterns but does not replace a human pentester for high-stakes audits. It does not perform intrusive payloads such as active SQL injection or command injection, as those fall outside its read-only scope. Business logic flaws, blind SSRF, and complex authorization bypass scenarios require domain expertise and manual investigation.

Use the scanner as part of a broader program that includes secure design reviews, access control testing, and incident response readiness. Regular rescans and trend analysis help ensure that new features do not reintroduce risks to personal data. These practices support audit evidence collection and reduce the likelihood of noncompliance with GDPR Article 32.

Run this check on your API See all use cases

Frequently Asked Questions

Does middleBrick provide compliance certification for GDPR?
middleBrick is a scanning tool and does not certify compliance. It helps you prepare evidence and validate controls relevant to GDPR Article 32, but it does not guarantee compliance.
Can authenticated scans be performed with middleBrick?
Yes, authenticated scanning is available starting with the Starter tier. It supports Bearer tokens, API keys, Basic auth, and cookies, with domain verification to ensure only the domain owner can scan with credentials.
What types of findings relate to data exposure under GDPR?
The scanner detects exposed PII patterns such as email addresses and context-aware SSNs, API key leakage, error and stack trace disclosure, and over-exposed internal fields that can lead to unauthorized access to personal data.
How often should scans be run to support Article 32 objectives?
Continuous monitoring is recommended, with scheduled rescans ranging from every 6 hours to monthly, depending on risk and change frequency. Ongoing scanning helps detect regressions and new misconfigurations early.