GDPR Compliance
As a platform dedicated to helping organizations achieve GDPR compliance, we hold ourselves to the highest standards of data protection. This page details our comprehensive approach to GDPR compliance.
1. Our Commitment to GDPR
UnnaData was founded with privacy at its core. As an AI-powered GDPR compliance platform, we understand that trust is our most valuable asset. We are fully committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and ensuring that our customers' data is handled with the utmost care and transparency.
We practice what we preach. Every feature we build for our customers' compliance, we apply to our own operations first. Our internal processes are designed to meet and exceed GDPR requirements.
EU Data Residency
All data stored exclusively in AWS eu-west-1 (Ireland)
Encryption at Rest
AES-256 encryption for all stored data
Encryption in Transit
TLS 1.3 for all network communications
Designated DPO
Appointed Data Protection Officer
Data Processing Agreements
DPAs with all sub-processors
Full Audit Logging
Comprehensive audit trail for all operations
2. GDPR Principles We Follow
UnnaData's data processing activities adhere to the seven key principles of the GDPR as defined in Article 5:
| Principle | How We Implement It |
|---|---|
| Lawfulness, Fairness, Transparency | Clear privacy policy, explicit consent mechanisms, transparent data practices |
| Purpose Limitation | Data collected only for specified, explicit, and legitimate purposes |
| Data Minimization | We collect only the minimum data necessary to provide our Services |
| Accuracy | Users can update their information at any time; regular data quality reviews |
| Storage Limitation | Defined retention periods for all data categories; automatic deletion policies |
| Integrity & Confidentiality | Encryption, access controls, security monitoring, and incident response |
| Accountability | Documented policies, DPIA processes, DPO appointment, regular audits |
3. Legal Basis for Processing
We process personal data under the following legal bases as defined in Article 6(1) GDPR:
- Contract Performance (Art. 6(1)(b)): Processing necessary to deliver our Services as agreed in our Terms of Service, including account management, document storage, and AI-powered compliance analysis.
- Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and analytics. We conduct balancing tests to ensure our interests do not override data subjects' rights.
- Consent (Art. 6(1)(a)): Marketing communications, optional analytics cookies, and any non-essential processing. Consent can be withdrawn at any time.
- Legal Obligation (Art. 6(1)(c)): Tax record retention, regulatory reporting, and responding to lawful data access requests from authorities.
4. Data Subject Rights
We fully support all data subject rights under the GDPR. You can exercise these rights at any time by contacting our DPO:
- Right of Access (Art. 15): Request a complete copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of any inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
- Right to Restrict Processing (Art. 18): Request that we limit how we process your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
- Rights Related to Automated Decision-Making (Art. 22): We do not make decisions based solely on automated processing that produce legal effects. Our AI provides recommendations for human review.
Response time: We respond to all data subject requests within 30 days. In complex cases, we may extend this by an additional 60 days with notification.
Supervisory authority: You have the right to lodge a complaint with your local data protection authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).
5. Technical & Organizational Measures
We implement comprehensive technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR):
5.1 Technical Measures
- Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
- Authentication: Email/password with JWT tokens; short-lived access tokens (30 min) and longer refresh tokens (7 days)
- Access Control: Role-based access control (RBAC) with Organization Admin, Admin, and Member roles
- Network Security: VPC isolation, security groups, encrypted gRPC communications
- Audit Logging: Comprehensive logging of all API requests, authentication events, and data access
- Backup & Recovery: Regular encrypted backups with tested recovery procedures
5.2 Organizational Measures
- Privacy by Design: Data protection considerations built into every feature from the design phase
- Privacy by Default: Most restrictive privacy settings applied by default
- Employee Training: Regular GDPR awareness and security training for all team members
- Access Policies: Principle of least privilege applied to all internal systems
- Vendor Assessment: Security and privacy assessment of all third-party vendors
- Incident Response: Documented incident response plan with defined roles and procedures
6. Data Processing
6.1 UnnaData as Data Controller
When you create an account and use our platform, UnnaData acts as the data controller for your personal account data (name, email, authentication details, usage data).
6.2 UnnaData as Data Processor
When you upload compliance documents and data to our platform, UnnaData acts as a data processor on your behalf. In this capacity:
- We process your data only according to your instructions (as defined in our Terms of Service and Data Processing Agreement)
- We implement appropriate technical and organizational security measures
- We do not share your data with third parties except as necessary to provide the Services and as disclosed in our Privacy Policy
- We assist you in fulfilling data subject requests
- We delete or return your data upon termination of our agreement
6.3 Data Processing Agreement
We offer a comprehensive Data Processing Agreement (DPA) compliant with Article 28 GDPR. Enterprise customers can request a customized DPA. Contact legal@unnadata.com for details.
7. Sub-Processors
We maintain a current list of sub-processors who process personal data on our behalf:
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage | EU (Ireland, eu-west-1) | DPA, SOC 2, ISO 27001 |
| Anthropic | AI language model (Claude) for compliance analysis | United States | DPA, SCCs, zero data retention policy |
| Stripe | Payment processing | United States / EU | DPA, SCCs, PCI DSS Level 1 |
We will notify customers of any changes to our sub-processor list at least 30 days in advance, giving you the opportunity to object.
8. International Data Transfers
Your data is primarily stored and processed in the European Union (AWS eu-west-1, Ireland). When data must be transferred outside the EEA (for example, to Anthropic for AI processing), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU-approved contractual clauses as per the European Commission's implementing decision (EU) 2021/914
- Transfer Impact Assessments: We conduct assessments of the data protection laws in recipient countries
- Supplementary Measures: Additional technical and organizational measures including encryption, pseudonymization, and access controls
- Data Minimization: Only the minimum data necessary is transferred for AI processing
9. Data Breach Notification
In the event of a personal data breach, we follow a strict notification protocol in compliance with Articles 33 and 34 GDPR:
- Internal detection: Continuous security monitoring and automated alert systems
- 72-hour authority notification: We notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach
- Customer notification: We notify affected customers without undue delay, including details of the breach, its likely consequences, and measures taken
- Data subject notification: When the breach is likely to result in a high risk to individuals, we notify affected data subjects directly
- Documentation: All breaches are documented with facts, effects, and remedial actions taken
10. Data Protection Officer
UnnaData has appointed a Data Protection Officer (DPO) in accordance with Article 37 GDPR. Our DPO is responsible for:
- Monitoring compliance with GDPR and related data protection laws
- Advising on Data Protection Impact Assessments
- Serving as the point of contact for data subjects and supervisory authorities
- Training staff on data protection obligations
You can contact our DPO at: dpo@unnadata.com
11. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR for processing activities that are likely to result in a high risk to data subjects. This includes:
- AI-powered document analysis and chat features
- Large-scale processing of compliance documents
- New feature development that involves personal data
- Changes to sub-processors or data transfer mechanisms
DPIAs are reviewed and updated regularly, and our DPO is consulted throughout the process.
12. Contact Us
For any questions about our GDPR compliance or to exercise your data protection rights:
- Data Protection Officer: dpo@unnadata.com
- Privacy Inquiries: privacy@unnadata.com
- Legal Team: legal@unnadata.com
For more details on how we handle your personal data, please review our Privacy Policy and Cookie Policy.