GDPR Compliance
Last updated: May 1, 2026
SignalStack is committed to complying with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains our GDPR compliance posture, how we process personal data, and what rights data subjects have when their personal data is processed through our Service.
1. Data Controller and Data Processor
Under the GDPR, SignalStack acts as both a data controller and a data processor depending on the context:
- Data Controller: SignalStack acts as a data controller when we collect and process personal data for our own purposes, such as account registration, billing, marketing communications, and website analytics.
- Data Processor: SignalStack acts as a data processor when we process personal data on behalf of our customers through our API. In this capacity, we process data only in accordance with our customers' instructions as documented in our Data Processing Agreement (DPA).
2. Lawful Bases for Processing
We process personal data on the following lawful bases:
- Consent: Where you have given explicit consent (e.g., for marketing communications and non-essential cookies).
- Contractual necessity: Where processing is necessary to perform our contract with you (e.g., providing the Service, billing, and customer support).
- Legal obligation: Where processing is required to comply with applicable laws (e.g., tax and accounting records).
- Legitimate interests: Where processing is necessary for our legitimate interests (e.g., security monitoring, fraud prevention, and service improvement) and does not override your fundamental rights and freedoms.
3. Data Processing Agreement (DPA)
SignalStack offers a Data Processing Agreement (DPA) to all customers who process personal data through our Service. Our DPA includes:
- Standard Contractual Clauses (SCCs): For transfers of personal data from the EEA to third countries.
- Processing instructions: Clear documentation of the scope, nature, and purpose of processing.
- Data security measures: Detailed description of our technical and organizational security measures.
- Subprocessor notification: Obligation to notify customers of changes to subprocessors.
- Data breach notification: Commitment to notify customers within 48 hours of becoming aware of a personal data breach.
- Data subject assistance: Agreement to assist customers in responding to data subject requests.
To request a DPA, please contact privacy@signal-stack-ten.vercel.app. The DPA is pre-signed and available for immediate acceptance through your account dashboard.
4. Data Subject Rights
Under the GDPR, individuals have the following rights regarding their personal data:
- Right of access (Article 15): Obtain confirmation of whether we process your personal data and access to that data.
- Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restrict processing (Article 18): Request restriction of processing in certain circumstances.
- Right to data portability (Article 20): Receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making (Article 22): Not be subject to decisions based solely on automated processing where those decisions have legal or similarly significant effects.
To exercise any of these rights, contact privacy@signal-stack-ten.vercel.app. We will respond to your request within 30 days. For requests related to data processed on behalf of our customers, we will forward the request to the relevant customer (the data controller).
5. Data Processing Details
| Category | Details |
|---|---|
| Categories of data subjects | Customers, their employees and end users, and individuals whose data is submitted for verification |
| Types of personal data | Name, email, billing details, IP addresses, business identifiers, and any data submitted through the API |
| Purpose of processing | Verification services, account management, billing, security monitoring, and service improvement |
| Retention periods | Account data: duration + 90 days. API data: 30 days. Logs: 12 months. Billing: 7 years |
| Data storage locations | US (default), EU (Frankfurt), APAC (Sydney) — configurable per customer |
6. International Data Transfers
SignalStack primarily processes data in the United States. For transfers of personal data from the EEA to the US, we rely on:
- Standard Contractual Clauses (SCCs): As adopted by the European Commission (Decision 2021/914).
- Data residency options: EU data can be processed and stored exclusively in our Frankfurt data center.
- Transfer Impact Assessments (TIAs): We have conducted TIAs for all data flows from the EEA to third countries.
7. Subprocessors
We engage subprocessors to assist in providing the Service. A current list of subprocessors is available on our Subprocessors page. We conduct due diligence on all subprocessors and require them to meet GDPR compliance standards through contractual commitments.
Customers are notified at least 30 days before engaging a new subprocessor. Enterprise customers have the right to object to new subprocessors.
8. Security Measures
We implement technical and organizational security measures to protect personal data, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Access controls based on least-privilege principle
- Regular security audits and penetration testing
- Employee training on data protection
- Incident response and breach notification procedures
- Data minimization and pseudonymization where feasible
9. Data Protection Officer
SignalStack has appointed a Data Protection Officer (DPO) who can be contacted at:
- Email: dpo@signal-stack-ten.vercel.app
Our DPO is responsible for overseeing our GDPR compliance program and serving as a point of contact for data subjects and supervisory authorities.
10. Supervisory Authority
If you believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can address your concerns.
11. Contact
For GDPR-related inquiries:
- Email: privacy@signal-stack-ten.vercel.app
- DPO: dpo@signal-stack-ten.vercel.app
SignalStack, Inc.
548 Market St, Suite 98989
San Francisco, CA 94104
United States