Legal Documents
GDPR Data Protection
GDPR Data Protection
Data Controller:
GeekCloud Sp. z o.o.
Melchiora Wańkowicza 2/1, 40-384, Katowice, Poland
KRS: 0000976073 | NIP: 0000976073 | VAT-EU: PL0000976073
DPO Contact: dpo@vortcloud.com
Effective Date: 2025.06.01
1. Our Commitment to Data Protection
GeekCloud Sp. z o.o. is committed to protecting the privacy and security of personal data in full compliance with the General Data Protection Regulation (GDPR) and Polish data protection laws. This document outlines our comprehensive approach to data protection and your rights as a data subject.
GDPR Compliance Principles
- Lawfulness, fairness, and transparency in all data processing
- Purpose limitation - data collected for specified, explicit purposes
- Data minimization - only necessary data is collected
- Accuracy - keeping data up-to-date and correct
- Storage limitation - retaining data only as long as necessary
- Integrity and confidentiality - securing data appropriately
- Accountability - demonstrating compliance with all principles
2. Data Controller vs. Data Processor Roles
2.1 When We Act as Data Controller
GeekCloud acts as a data controller for:
- Customer account information and billing data
- Service usage metrics and technical logs
- Support communications and correspondence
- Identity verification data processed through Stripe Identity
- Marketing and communication preferences
2.2 When We Act as Data Processor
GeekCloud acts as a data processor for:
- Customer data stored on VPS instances and block storage
- Database content managed by customers
- Files and applications deployed by customers
- Any personal data within customer-controlled infrastructure
When acting as a processor, we process data only according to documented customer instructions and our Data Processing Agreement (DPA).
3. Data Processing Agreements (DPAs)
3.1 Customer DPA
All customers who process personal data using our services are covered by our comprehensive Data Processing Agreement, which includes:
- Standard Contractual Clauses (SCCs) for international data transfers
- Data subject rights fulfillment procedures
- Security incident notification protocols
- Subprocessor notification and consent mechanisms
- Data return and deletion procedures upon termination
3.2 Subprocessor Management
We maintain strict oversight of all subprocessors who may access customer data:
- Comprehensive due diligence before engagement
- Contractual obligations equivalent to our DPA commitments
- Regular compliance audits and security assessments
- Customer notification of any subprocessor changes
4. Security Measures and Safeguards
4.1 Technical Safeguards
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Access Controls: Multi-factor authentication and role-based permissions
- Network Security: Firewalls, intrusion detection, and network segmentation
- Monitoring: 24/7 security monitoring and incident response
- Backup Security: Encrypted backups with tested restoration procedures
4.2 Organizational Measures
- Staff Training: Regular GDPR and security awareness training
- Access Limitation: Need-to-know basis for data access
- Confidentiality: Contractual confidentiality obligations for all staff
- Incident Response: Defined procedures for security and data breaches
- Vendor Management: Due diligence and ongoing oversight of suppliers
4.3 Regular Assessments
- Annual external security audits and penetration testing
- Quarterly internal security reviews and policy updates
- Continuous vulnerability scanning and patch management
- Regular backup testing and disaster recovery exercises
5. Data Subject Rights Support
5.1 Rights Fulfillment Process
We provide comprehensive support for data subject rights exercises:
- Request verification within 72 hours
- Identity confirmation using secure procedures
- Data location and impact assessment
- Response preparation and customer coordination
- Implementation of requested actions
- Confirmation and documentation
5.2 Customer Support Tools
- API endpoints for automated data subject request handling
- Administrative tools for data identification and extraction
- Secure deletion verification and certification
- Data portability in standard formats (JSON, CSV)
6. International Data Transfers
6.1 EU Data Residency
Our primary commitment is to EU data residency:
- All customer infrastructure hosted in EU data centers
- Customer data processing within the European Economic Area
- EU-based staff for data access and support operations
- EU vendors preferred for critical service components
6.2 Limited Third Country Transfers
When third country transfers are necessary, we ensure adequate protection:
- Standard Contractual Clauses (Module 2 - Controller to Processor)
- Additional safeguards beyond SCC requirements
- Regular adequacy assessments for third country risks
- Encryption and pseudonymization for transferred data
7. Breach Notification and Response
7.1 Incident Response Timeline
- 0-4 hours: Initial detection and containment
- 4-24 hours: Impact assessment and risk evaluation
- 24-72 hours: Supervisory authority notification (if required)
- 72+ hours: Data subject notification (if high risk)
- Ongoing: Remediation, monitoring, and prevention measures
7.2 Customer Notification
Customers are promptly notified of any personal data breaches affecting their data, including:
- Description of the breach and affected data categories
- Likely consequences and potential risks to data subjects
- Measures taken to address the breach and mitigate harm
- Recommendations for customer actions and communications
8. Compliance Monitoring and Auditing
8.1 Internal Compliance Program
- Quarterly GDPR compliance reviews and assessments
- Annual Data Protection Impact Assessments (DPIAs)
- Regular policy updates based on regulatory guidance
- Staff compliance training and certification programs
8.2 External Audits and Certifications
- Annual external GDPR compliance audits
- ISO 27001 information security certification
- SOC 2 Type II security and availability controls
- Regular penetration testing and vulnerability assessments
8.3 Customer Audit Rights
Customers have the right to audit our data processing activities through:
- Access to compliance certifications and audit reports
- Questionnaire-based compliance assessments
- On-site audits (with reasonable notice and scope)
- Third-party audit coordination and facilitation
9. Contact and Support
9.1 Data Protection Office
For all GDPR-related inquiries and requests:
- Email: dpo@vortcloud.com
- Subject Line: "GDPR Inquiry - [Type of Request] "
- Response Time: Initial response within 72 hours
- Resolution Time: Complete response within 30 days
9.2 Technical Support for GDPR
Our technical support team can assist with:
- Data location and mapping within your infrastructure
- Implementation of data subject request procedures
- Configuration of privacy-enhancing technologies
- Integration with GDPR compliance tools and APIs