GDPR Compliance

Data protection and compliance built into our platform

Our Commitment to GDPR

Sinas is built from the ground up with GDPR compliance at its core. As a European company processing data exclusively within the EU, we understand the importance of data protection and privacy.

1. Data Processor Role

When you use Sinas to process personal data of your end users, we act as a data processor and you act as the data controller. This means:

  • You determine the purposes and means of processing personal data
  • We process data only on your documented instructions
  • We implement appropriate technical and organizational measures
  • We assist you in fulfilling your GDPR obligations

2. Data Processing Agreement (DPA)

We provide a comprehensive Data Processing Agreement that covers:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Your obligations and rights as data controller
  • Our obligations and rights as data processor

Contact us at legal@sinas.eu to execute a DPA.

3. Data Residency

100% European Data Processing

  • All data centers located within the European Economic Area (EEA)
  • No data transfers outside the EEA
  • Optional: Choose specific EU country for data residency
  • Compliance with data localization requirements

4. Security Measures (Article 32)

We implement state-of-the-art security measures:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Network Security: VPC isolation, DDoS protection, web application firewall
  • Monitoring: 24/7 security monitoring and incident response
  • Audits: Regular security audits and penetration testing
  • Certifications: SOC 2 Type II, ISO 27001

5. Data Subject Rights

We help you fulfill data subject rights requests:

  • Right of Access: Export personal data in machine-readable format
  • Right to Rectification: Update or correct personal data
  • Right to Erasure: Permanently delete personal data
  • Right to Data Portability: Export data in structured format
  • Right to Object: Stop processing of personal data
  • Right to Restriction: Limit processing of personal data

Our APIs and dashboard provide tools to handle these requests efficiently.

6. Data Breach Notification (Article 33)

In the event of a data breach:

  • We will notify you within 24 hours of becoming aware
  • Provide details of the breach, affected data, and mitigation steps
  • Assist you in notifying supervisory authorities if required
  • Document all breaches for compliance purposes

7. Data Protection Impact Assessments (DPIA)

We assist with DPIAs by providing:

  • Documentation of our processing activities
  • Information about security measures
  • Details of data flows and storage locations
  • Risk assessments for your use cases

8. Subprocessors

We maintain a list of approved subprocessors:

  • Infrastructure providers (EU-based cloud services)
  • Payment processors (Stripe for EU)
  • Support tools (EU-hosted instances)

We notify customers 30 days before adding new subprocessors.

9. Data Retention and Deletion

We implement clear data retention policies:

  • Customer Data retained only as long as your account is active
  • 30-day grace period after account closure
  • Permanent deletion using secure erasure methods
  • Backups retained for disaster recovery, deleted after 90 days
  • You can configure custom retention policies per data type

10. Privacy by Design and by Default

Our platform incorporates privacy principles:

  • Minimal data collection by default
  • Purpose limitation enforced at the API level
  • Storage limitation with automatic data expiry
  • Row-level security for fine-grained access control
  • Audit logging for accountability

11. International Transfers

We do not transfer personal data outside the EEA. All processing occurs within EU data centers.

12. Compliance Documentation

We provide documentation to support your compliance:

  • Records of processing activities (Article 30)
  • Security and compliance certifications
  • Audit reports and penetration test summaries
  • Technical and organizational measures documentation

13. Contact Information

For GDPR-related inquiries:

Data Protection Officer
Sinas B.V.
Email: dpo@sinas.eu
Address: [EU Address]

Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens)