GDPR-compliant. By design, not by declaration.
We don't tick a box; the platform's architecture starts from data isolation. The full list of sub-processors and the data location is public.
Principles
Data in the EU
All data is stored within the European Union. We do not transfer data outside the EEA. For integrations with third-party partners outside the EU, we use the Standard Contractual Clauses (SCC).
Per-tenant isolation
Each client has its own MySQL database. On deletion: DROP DATABASE, not a query. Impossible to accidentally mix data.
Clear retention
Active data: for the duration of the contract. Invoices: 10 years (tax law). Logs: 90 days. On termination: 30-day grace period, then permanent deletion.
Standard DPA
We have a ready-to-sign DPA (Data Processing Agreement) available on request. Minor changes accepted; substantial changes discussed.
Sub-processors
These are the third parties with whom we may share personal data — strictly for purposes necessary to operate the platform. Each one has a DPA signed with us.
| Name | Purpose | Location | DPA |
|---|---|---|---|
| DigitalOcean | Infrastructure hosting + file storage (Spaces) | EU (London) | Yes |
| Oblio | Invoicing (if you enable the integration) | Romania | Yes |
| SmartBill | Invoicing (if you enable the integration) | Romania | Yes |
| Sameday | Shipping label generation (if enabled) | Romania | Yes |
| Cargus | Shipping label generation (if enabled) | Romania | Yes |
| DPD | Shipping label generation (if enabled) | Romania / EU | Yes |
| GLS | Shipping label generation (if enabled) | EU | Yes |
| Pall-Ex | Pallet consignments (if enabled) | Romania | Yes |
| eMAG | Order sync (if enabled) | Romania | Yes |
| Resend | Transactional email | EU | Yes |
| Stripe | SaaS payment processing | Ireland (EU entity) | Yes — standard SCC + DPA |
DPA (Data Processing Agreement)
For any client that needs a signed DPA (which means: almost everyone), we have a standard one ready to sign. Based on the EU SCCs and aligned with GDPR Art. 28.
Data subject rights
Anyone whose data is processed in notsowms (you, your employees, or your end customers) has the rights provided by the GDPR: access, rectification, erasure, restriction, portability, objection.
Requests are sent to [email protected]. We respond within 30 days at most (a legal requirement), usually much sooner.