Data residency & GDPR

Where your data lives, how it's protected in transit across borders, and what your options are — the canonical answers for procurement and privacy reviews.

Where your data lives (US default)

OptiSigns is hosted in the United States by default. The application and managed services run on DigitalOcean (US), object storage and CDN on AWS (US), and the primary application database — all fronted by Cloudflare's global edge, with origin data staying in the US.

OptiSigns owns no data centers; the platform is 100% cloud-hosted, and physical security is inherited from the cloud providers' audited data-center controls — an inheritance covered in our SOC 2 Type 2 report.

  • Engage plan and above can request regional data residency for data.

EU & UK customers — GDPR posture

Our Controller-to-Processor Data Processing Addendum with GDPR Article 28 terms is public. EU transfers rely on the EU Standard Contractual Clauses (Module Two, Controller-to-Processor), attached to the DPA; a UK ICO IDTA Addendum is appended for UK customers. Our technical and organisational measures are documented in the DPA's Annex II.

If a personal data breach affects your data, we notify you without undue delay upon becoming aware of it — the DPA commitment, consistent with GDPR. We also assist with data-subject requests and with GDPR Articles 32–36 obligations, and the authorized subprocessor list carries 14 days advance written notice of changes with a right to object.

There is no such thing as "GDPR certified" — no GDPR certification exists. Our posture is the DPA, the SCCs, and the audited controls behind them.

EU & UK data residency option

EU residency (Frankfurt/Amsterdam) and UK residency (London) are available on the Engage plan. Once enabled, new uploads are stored in the EU/UK region; pre-existing content stays where it is unless re-uploaded.

Residency options today are US (default) and EU/UK on Engage — we don't claim other regions.

Retention & deletion

Users can download and delete their data self-serve in the platform, and a published deletion-request process covers everything else — practical answers to GDPR Article 15 and 17 requests.

On termination, customer data is returned or disposed of per the DPA's terms. Backups are encrypted, monitored, and access-restricted throughout their lifecycle.