General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European privacy law that became enforceable on May 25, 2018. GDPR replaces the EU Data Protection Directive and is intended to reconcile data protection laws throughout the European Union (EU) by applying a single data protection law enforceable across every member state.

The GDPR applies not only to organizations established within the EU, but also to organizations located outside of the EU that offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects located in the EU, regardless of the company’s location. The GDPR

• Defines personal data to include any information relating to an identified or identifiable natural person.
• Regulates how businesses can collect, use, and store personal data.
• Builds upon current documentation and reporting requirements to increase accountability.
• Authorizes fines on businesses who fail to meet its requirements.

Ensuring GDPR Compliance at Dataddo

Dataddo's commitment to GDPR compliance is integral to our operations, particularly given our status as an SOC 2 Type II certified organization. Our focus on data protection, control, and compliance aligns with our customer-centric approach, aiding our customers on their GDPR compliance journey.

Our GDPR-Compliant Infrastructure

Security is a cornerstone of our infrastructure. We implement network and storage encryption and enforce rigorous access controls. Our team of engineers is diligent in applying security updates to our systems and databases.

We require Transport Layer Security (TLS) for external connections and offer Secure Shell (SSH) tunneling for safe internal access. Our commitment to security is further demonstrated through regular external evaluations, detailed in our SOC 2 overview.

Dataddo's infrastructure is supported by trusted cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. These platforms undergo frequent independent audits to verify their security measures. For additional insights, visit our SOC 2 overview.

Supporting Our Customers with GDPR Compliance

To help our customers adhere to the GDPR, Dataddo has undertaken several initiatives. These measures are continually updated to align with the latest requirements:

• Security Features: We've enhanced our products with advanced security features and have strengthened the security posture of our enterprise and infrastructure.
• Contractual Support: Our customer contracts are designed to facilitate GDPR compliance, particularly concerning processor appointments. We also ensure our agreements with processors are GDPR-compliant.
• International Data Transfer Support:
  • We've integrated Standard Contractual Clauses into our Data Processing Agreement to support international data transfers.
  • We continuously monitor developments in the post-Schrems II landscape to adopt any additional measures required by European regulatory authorities.
• GDPR Guidance Monitoring: We keep a close eye on GDPR guidance and adjust our strategies to ensure ongoing compliance.

Dataddo's Data Processing Agreement

Dataddo offers a Data Processing Agreement (DPA) as part of our terms of service that meets the GDPR standards, essential for data controllers employing our services as data processors.

For any questions about how this agreement applies to your use case, please contact us directly at info@dataddo.com.

Facilitating Transfer of Personal Data Outside EEA, Switzerland, and UK

At Dataddo, we prioritize the secure and compliant transfer of personal data to regions outside the EEA, Switzerland, and the UK. We employ Standard Contractual Clauses (SCCs) under Article 46 of the GDPR for transfers to countries without an adequacy decision from the European Commission or the UK, including transfers to the US.

In light of the new SCCs approved by the European Commission in June 2021, which reflect GDPR requirements and the Schrems II decision, we have accordingly updated our Data Processing Agreement (our legal agreement governing our customers’ use of the Dataddo platform). For UK data transfers, we currently use the existing SCCs, pending future updates.

Dataddo aids customers in meeting their Clause 14 obligations under the new SCCs by supporting Transfer Impact Assessments (TIAs) and conducting our own when appropriate. We offer technical measures like encryption, where the encryption keys are in the customers' control. Our own contractual and organizational measures further enhance data protection for our customers. For more details, please refer to our Data Processing Agreement and Technical & Organizational Security Measures.