General Data Protection Regulation (GDPR)

As an SOC 2 Type II certified organization, Dataddo is committed to complying with The General Data Protection Regulation (GDPR).

What is GDPR?

The General Data Protection Regulation (GDPR) is a European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive and is intended to reconcile data protection laws throughout the European Union (EU) by applying a single data protection law enforceable across every member state.

Compliance with GDPR is a top priority for Dataddo and our customers. Dataddo can be a key facilitator on your GDPR journey with our customer-centric approach to data protection, control, and compliance.

The GDPR does the following:

• Regulates how businesses can collect, use, and store personal data;
• Builds upon current documentation and reporting requirements to increase accountability;
• Authorizes fines on businesses who fail to meet its requirements.

Who is impacted by the GDPR?

The GDPR applies not only to organizations established within the EU, but also to organizations located outside of the EU that offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects located in the EU, regardless of the company’s location. The GDPR defines personal data to include any information relating to an identified or identifiable natural person.

How does Dataddo help my organization comply with the GDPR?

Dataddo is working across our organization to ensure that our products and services enable our customers to comply with GDPR. This includes:

• Continuing to build upon the security features in our products and the security posture of our enterprise and infrastructure, described in more detail;
• Ensuring that contracts with our customers enable them to comply with the GDPR rules relating to appointing processors, and ensuring that our contracts with our own processors are compliant as well;
• Continuing to support international data transfers by incorporating Standard Contractual Clauses into our standard Data Processing Agreement with our customers, and closely monitoring the development of the post-Schrems II landscape to ensure we are implementing any further measures the European regulatory authorities may require for international data transfers;
• Continuously monitoring the guidance around GDPR compliance in general, and adjusting our plans accordingly.

How does Dataddo help me comply with the GDPR?

Dataddo prioritizes security by default, providing network encryption, storage volume encryption, and access control. Our engineers automatically apply security-specific updates to the operating system and database of the underlying instances. We enforce the use of TLS when connecting to external services and offer SSH tunneling for connecting to your internal infrastructure. In addition, we regularly pursue external testing and certifications for security, including the SOC 2 overview.

To further ensure GDPR compliance, Dataddo's infrastructure runs on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. Each cloud provider undergoes independent third-party audits on a regular basis. For more information, please visit the SOC 2 overview.

Dataddo's Data Processing Addendum (DPA)

Dataddo offers a Data Processing Agreement (DPA) as part of our terms of service, which satisfies the GDPR's requirements for data controllers using data processors.

If you have any questions about how these terms apply to your specific use case, please don't hesitate to contact us at info@dataddo.com.

Facilitating Transfer of Personal Data Outside EEA, Switzerland, and UK

Dataddo takes data protection seriously and recognizes the importance of complying with GDPR requirements for transferring personal data outside the EEA, Switzerland, and the UK. To ensure appropriate safeguards, Dataddo uses Standard Contractual Clauses under Article 46 of GDPR when transferring personal data to countries that do not have an adequacy decision from the European Commission or the UK, including the US.

In June 2021, the EC approved new SCCs that align with GDPR and address issues raised by the European Court of Justice in its Schrems II decision. Dataddo has incorporated the new SCCs into our standard Data Processing Agreement, which is included in our legal agreement governing our customers’ use of the Dataddo platform. For transfers of customer personal data from the UK, the prior version of the SCCs will remain in place for the time being.

Dataddo assists customers in complying with their obligations under Clause 14 of the new SCCs by contributing to Transfer Impact Assessments (TIA) and conducting our own TIAs when appropriate. We also enable customers to implement technical supplementary measures, including data encryption options where customers control the encryption keys. Dataddo has implemented its own contractual and organizational supplementary measures for the benefit of customers. For more information on these measures, please refer to our Data Processing Agreement and Technical & Organizational Security Measures .

Contact Us for GDPR-Related Questions

If you have any questions or concerns about the GDPR and Dataddo, please feel free to reach out to us at info@dataddo.com. We are happy to assist you in any way we can.