API-Layer GPC Decisions

Acknowledge GPC signals at the API layer. Fail‑closed by default. Structured decision records for each GPC signal.

When a user opts out via Global Privacy Control, GPCGuard validates and acknowledges that signal at the API layer — fail-closed by default, with a structured decision record for each GPC signal received.

In Plain English

GPCGuard receives a GPC signal request, verifies it safely, returns the policy outcome, and stores the evidence your team will need later.

Start free trial Read decision model

Jurisdictions covered

Per-signal

Structured decision records

Fail-closed

Default endpoint posture

Latency benchmarks publishing after early access.

Decision Records

Decision evidence for each GPC signal.

Each processed request creates a tenant-scoped decision record. Drill into any row to inspect the stored request ID, decision state, response code, and request metadata available in the dashboard.

request_idsignal_sourceguard_chain_outcomefinal_policy_versionenforcement_actionedge_pop

Live Proof

Real decision record from a test site showing the same dashboard evidence surface operators use to inspect a processed GPC signal.

Real GPCGuard decision record screenshot from a test site showing an acknowledged signal outcome.

Current proof image: /public/decision-record-proof-live.png. The original replacement-ready template still lives at /public/decision-record-proof-template.svg if you want to swap in a different redacted capture later.

RequestSignalActionTimestamp

↑ Click any row to expand full Decision Record

Architecture

Four steps. One clear decision path.

Every signal request sent to your GPCGuard endpoint passes through a deterministic guard chain, producing structured decision outcomes with explicit ACKNOWLEDGED / DENIED / FAILED states.

01 / 04

Detect

The generated embed or SDK sends a request to your GPCGuard endpoint, where the incoming signal is evaluated for that site.

02 / 04

Validate

Fail-closed guards verify site configuration, origin, active status, DPA acceptance, and circuit state before the request can continue.

03 / 04

Decide

The endpoint returns a structured policy decision. If a compliance-critical guard fails, the request resolves to DENIED instead of silently proceeding.

04 / 04

Record

Processed signal requests create structured decision records that operators can review in logs and dashboard evidence views.

Comparison

API-layer signal handling vs. after-the-fact visibility.

Consent collection and API-layer validation solve different parts of the privacy problem. GPCGuard focuses on signal validation, activation gates, and decision evidence rather than banner orchestration.

Consent Management Platform (CMP)

Banner-layer · opt-in flows · preference storage

Captures preferences at the UI layer only — no enforcement at the network or data layer.
Typically lacks structured per-signal guard traces or decision records.
Rarely handles Sec-GPC headers from browsers that broadcast the signal automatically.
On misconfiguration or error, data flows freely — no fail-closed default.

GPCGuard

Edge-native · signal validation · decision records

Validates GPC signal requests against domain, origin, DPA state, and circuit posture before recording any policy decision.
Returns a structured GPC policy payload; each processed signal produces a structured decision record.
Handles both Sec-GPC headers and navigator.globalPrivacyControl — detected and acknowledged at the signal layer.
Fail-closed by default: unknown origins and ambiguous signals resolve to DENIED.

gpcguard · embed

<!-- GPCGuard embed — generated per site after DPA acceptance -->
<script
  src="https://<project-ref>.supabase.co/storage/v1/object/public/public/gpc-sdk.js"
  data-endpoint="https://<project-ref>.supabase.co/functions/v1/gpc-signal"
  data-domain="<your-domain>"
  data-show-notification="true"
  async>
</script>

Paste after <body> on your target domain

Integration

One generated snippet. Three minutes.

GPCGuard onboarding mirrors the actual product surface: create a site, accept the DPA, retrieve the embed code, then verify endpoint decisions in the analytics and evidence views.

Create a site, accept the DPA

The embed snippet is generated by the dashboard only after the Data Processing Agreement is accepted for the site.

Install the generated snippet

Copy the snippet from the site detail page and place it on your domain so supported browsers can call your configured GPCGuard endpoint.

Verify signals inside the product

After installation, inspect decision records and analytics from the same operator flow that generated the snippet.

Compliance Coverage

Jurisdiction-aware GPC workflows.

GPCGuard is designed to support GPC decision and evidence workflows for the four active US state privacy law contexts shown here. These references describe product scope — not legal guarantees.

California

CCPA · CPRA

Colorado

CPA

Connecticut

CTDPA

New Jersey

NJDPA

Decision model

Public docs explain the ordered guard chain, API-layer boundary diagram, and common response contracts.

Read docs →

Security overview

The product publishes its current security posture without claiming certifications the infrastructure does not hold.

Review posture →

Architecture commitments

Non-negotiable boundaries — guard-order preservation and JWT + RLS tenant isolation — are documented publicly.

See commitments →

GPC workflow scope documented · CA · CO · CT · NJ

Get Started

Start with one site, one DPA, and one verified signal.

Move from initial setup to verified signal handling in a single workflow: create a site, accept the DPA, install the embed, and inspect the evidence stream.

Start free trial Open setup guide →Talk to us →

No credit card required · Free trial includes one verified site · Enterprise agreements available