GDPR Compliance
Our commitment to protecting EU user data
Artatol Account is fully committed to GDPR compliance. We have implemented technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently across all Artatol services.
Our Role Under GDPR
Artatol Account serves as the central identity and access management platform for all Artatol services. We act as a Data Controller for the personal information you provide when creating and managing your account.
For services you enable through your Artatol Account (ArtaMail, ArtaConsent, etc.), we may act as a Data Processor on your behalf.
Data Processing Agreement
We provide a Data Processing Agreement (DPA) to all customers that outlines our obligations as a data controller and processor. This agreement covers the nature and purpose of processing, types of personal data, security measures, and your rights.
Contact [email protected] to request a copy of our DPA.
GDPR-Compliant Features
Access Control
Granular role-based access control (owner, admin, member, viewer) for organization management.
Data Portability
Export all your account data, service access, and usage information at any time.
Right to Erasure
Delete your account and all associated data permanently. All data is anonymized or removed within 30 days.
Data Minimization
We only collect and process data necessary to provide authentication and account management services.
Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords use bcrypt hashing.
Audit Logs
Complete audit trail of all account access, service usage, and API key operations.
Two-Factor Authentication
Optional 2FA for enhanced account security and protection against unauthorized access.
Data Storage Location
All data is stored on servers located in the European Union. We do not transfer personal data outside the EU/EEA without appropriate safeguards as required by GDPR (Standard Contractual Clauses or adequacy decisions).
- Primary data storage: OVH Frankfurt, Germany (PostgreSQL database)
- Infrastructure: Kubernetes cluster hosted on OVH Frankfurt
Sub-processors
We use the following sub-processors to provide our service:
| Service | Purpose | Location |
|---|---|---|
| OVH | Database hosting (PostgreSQL), Infrastructure (Kubernetes) | Frankfurt, Germany |
| Cloudflare | Reverse proxy, DDoS protection, WAF, CDN | Global (EU edge locations) |
| Payment Processor (future) | Payment processing for paid services | EU |
Data Subject Rights
Under GDPR, you have the following rights regarding your personal data:
- Right of Access - Request a copy of all your personal data
- Right to Rectification - Update or correct your account information
- Right to Erasure - Request deletion of your account and all data
- Right to Restrict Processing - Limit how we use your data
- Right to Data Portability - Receive your data in a machine-readable format
- Right to Object - Object to certain types of processing
- Right to Withdraw Consent - Withdraw consent at any time
- Right to Lodge a Complaint - File a complaint with your data protection authority
To exercise these rights, please contact us at [email protected].
Data Retention
We retain your data according to the following schedule:
- Account data: Retained while account is active
- Usage logs: Retained for 90 days for security and troubleshooting
- Payment records: Retained for 7 years for tax and legal compliance
- Deleted accounts: All data anonymized or permanently deleted within 30 days
Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. We will provide all information necessary about the nature of the breach, its potential consequences, and measures taken to address it.
Security Measures
We implement state-of-the-art security measures to protect your data:
- Password encryption using bcrypt (industry-standard one-way hashing)
- TLS 1.3 for all data in transit
- AES-256 encryption for data at rest
- Row-level security (RLS) on database level
- API key encryption and secure storage
- Regular security audits and penetration testing
- Access logging and monitoring
- Automatic session expiration and refresh token rotation
International Data Transfers
Your data is primarily stored and processed in the European Union (AWS eu-west-1). If data needs to be transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission
- Binding Corporate Rules where applicable
Contact Our DPO
For any GDPR-related inquiries, to exercise your rights, or to report concerns, contact our Data Protection Officer:
Data Protection Officer
Email: [email protected]
Mailing address: Artatol, Prague, Czech Republic
We will respond to your request within 30 days as required by GDPR.