Data residency & GDPR
Where your data lives, how it's protected in transit across borders, and what your options are — the canonical answers for procurement and privacy reviews.
Where your data lives, how it's protected in transit across borders, and what your options are — the canonical answers for procurement and privacy reviews.
OptiSigns is hosted in the United States by default. The application and managed services run on DigitalOcean (US), object storage and CDN on AWS (US), and the primary application database — all fronted by Cloudflare's global edge, with origin data staying in the US.
OptiSigns owns no data centers; the platform is 100% cloud-hosted, and physical security is inherited from the cloud providers' audited data-center controls — an inheritance covered in our SOC 2 Type 2 report.
Our Controller-to-Processor Data Processing Addendum with GDPR Article 28 terms is public. EU transfers rely on the EU Standard Contractual Clauses (Module Two, Controller-to-Processor), attached to the DPA; a UK ICO IDTA Addendum is appended for UK customers. Our technical and organisational measures are documented in the DPA's Annex II.
If a personal data breach affects your data, we notify you without undue delay upon becoming aware of it — the DPA commitment, consistent with GDPR. We also assist with data-subject requests and with GDPR Articles 32–36 obligations, and the authorized subprocessor list carries 14 days advance written notice of changes with a right to object.
There is no such thing as "GDPR certified" — no GDPR certification exists. Our posture is the DPA, the SCCs, and the audited controls behind them.
EU residency (Frankfurt/Amsterdam) and UK residency (London) are available on the Engage plan. Once enabled, new uploads are stored in the EU/UK region; pre-existing content stays where it is unless re-uploaded.
Residency options today are US (default) and EU/UK on Engage — we don't claim other regions.
Users can download and delete their data self-serve in the platform, and a published deletion-request process covers everything else — practical answers to GDPR Article 15 and 17 requests.
On termination, customer data is returned or disposed of per the DPA's terms. Backups are encrypted, monitored, and access-restricted throughout their lifecycle.
Send us a message and we’ll get back to you as soon as possible.