Trust Center

A single page summarizing how EUcomply handles your customers' data, who we share it with, and where to reach us.

GDPR posture

Full alignment with EU Regulation 2016/679. Data minimization, purpose limitation, and 7-year retention only on financial / customs records (Article 6(1)(c) — legal obligation).

Jurisdiction

Berlin (Germany) per our Terms of Service. Disputes resolved before the courts of Berlin; consumer ODR via the EU platform.

Data residency

Production data is stored in EU regions. No transfers to third countries without SCCs (2021/914) and a transfer impact assessment.

Encryption

TLS 1.2+ in transit, AES-256 at rest. Webhook secrets and API keys are stored as SHA-256 hashes; we never log raw credentials.

Sub-processors

Per Article 28(2) GDPR, the following sub-processors handle personal data on our behalf. The full Data Processing Agreement (DPA) including SCC modules is available in our DPA document.

Sub-processorPurposeRegionTransfer mechanism
Shopify Inc.Marketplace integration (orders, products, webhooks)CA / EUSCCs 2021/914
Stripe Payments Europe Ltd.Subscription billing & invoicesIEEU (no transfer)
Resend Inc.Transactional email deliveryUSSCCs 2021/914
Sentry GmbHError monitoring (no PII fields are forwarded)DEEU (no transfer)
Cloudflare, Inc.Static landing-page hosting and edge deliveryGlobal edge networkSCCs and EU Data Boundary controls
Cloudflare Germany GmbHCDN / DNS / WAFDEEU (no transfer)

Contacts

Security: security@eucomply.app — vulnerability reports, PGP key fingerprint published in /.well-known/security.txt.
Privacy & DPO: dpo@eucomply.app — for any GDPR Article 12–22 request (access, rectification, erasure, portability, restriction, objection).
Legal: legal@eucomply.app
General: hi@eucomply.app

Online Dispute Resolution (ODR)

Per Regulation (EU) 524/2013, EU-resident consumers may use the European Commission's ODR platform: ec.europa.eu/consumers/odr. Our contact for ODR notices is legal@eucomply.app. We are not obliged to participate but will respond to all such notices within 30 days.

Supervisory authority

Lead supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI). Data subjects retain the right to lodge a complaint under Article 77 GDPR.

Audit & certifications

Incident reporting

Personal-data breaches are reported to BlnBDI within 72 hours per Article 33 GDPR. Affected merchants are notified by email and via the status page without undue delay.