diff --git a/GDPR.md b/GDPR.md
new file mode 100644
index 0000000000000000000000000000000000000000..37d2aa80bde5c3454bf6a5e7ec4e911a5ed1c025
--- /dev/null
+++ b/GDPR.md
@@ -0,0 +1,32 @@
+# GDPR Compliance Document
+The objective of this document is to detail, the data being stored and proccessed by the Trust Service API.
+
+## What information is stored
+### Source User Information
+The Open Id connect claims that MAY contain all sorts of personal data (like email, name, age and others), are received from any external source.
+
+### Technical User Information (Public)
+
+- Schema information (public)
+- Credential/credential definition ids and states
+- DID of issuer
+- DID of holder
+- Created/updated dates
+- Offered credential attributes and attachments
+
+## How is the information stored
+### Source User Information
+Source User Information is encrypted using the Private Key of the Organizations SSI Agent and stored until the issuance of credential in Organization's SSI Agent's PostgreSQL database.
+
+### Technical User Information (Public)
+Technical User Information is encrypted using the Private Key of the Organizations SSI Agent and stored internally (on the agent) on PostgreSQL and externally/ metadata (shared between the OCM services) on PostgreSQL of Organization.
+
+## Who can access the information
+The Source User Information and Technical User Information both are accessible only by the Organization specific SSI agent's private key.
+
+## How long will the information stay 
+### Source User Information
+The Source User Information is wiped out once the credential is issued.
+
+### Technical User Information (Public)
+The Technical User Information is wiped out according to the retention periods (not defined yet).