GDPR Commitment

Last updated: 15 January 2025

Our GDPR Commitment

UnionStack was built from the ground up with GDPR compliance as a foundational requirement — not an afterthought. We believe European businesses deserve productivity tools that respect and enforce their data protection rights.

How We Ensure Compliance

Data Residency

All customer data is stored exclusively in EU data centers. We operate facilities in Germany, the Netherlands, and France. No customer data ever leaves the European Economic Area.

No US Jurisdiction Exposure

UnionStack GmbH is a German company with no US parent entity, no US subsidiaries, and no US-based employees with access to customer data. We are not subject to the CLOUD Act, FISA Section 702, or any other US surveillance law.

Data Processing Agreement

Every customer receives a comprehensive DPA that meets the requirements of Article 28 GDPR. Our DPA covers:

  • Purpose and duration of processing
  • Nature and categories of data
  • Rights and obligations of both parties
  • Technical and organisational measures
  • Sub-processor management
  • Data breach notification procedures

Sub-Processor Transparency

We maintain a complete list of sub-processors and notify customers of any changes with at least 30 days’ notice. All sub-processors are EU-based and contractually bound to GDPR-equivalent data protection standards.

Technical Measures

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access controls: Role-based access, multi-factor authentication
  • Audit logging: Comprehensive audit trails for all data access
  • Data minimisation: We only process data necessary for service delivery
  • Pseudonymisation: Applied where technically feasible

Organisational Measures

  • Dedicated Data Protection Officer (DPO)
  • Regular staff training on data protection
  • Privacy impact assessments for new features
  • Incident response procedures tested quarterly
  • Annual third-party security audits

Data Subject Rights

We provide tools for our customers to fulfil data subject requests efficiently:

  • Right of access: Export individual user data in standard formats
  • Right to rectification: Edit user data through admin console
  • Right to erasure: Delete user data with cryptographic verification
  • Right to portability: Export all data in machine-readable formats
  • Right to restriction: Temporarily restrict processing per user

Certifications

  • ISO 27001: Information security management
  • SOC 2 Type II: Security, availability, and confidentiality
  • BSI C5: Cloud Computing Compliance Criteria Catalogue

Contact Our DPO

Dr. Friedrich Schmidt Data Protection Officer Email: dpo@unionstack.cloud Post: UnionStack GmbH, Friedrichstraße 123, 10117 Berlin, Germany