GDPR Compliance
Last updated: December 2024
1. Our Commitment to GDPR
At Entira, we are fully committed to compliance with the General Data Protection Regulation (GDPR). This document outlines how Enterprise Architecture Brain (EA Brain) meets GDPR requirements and protects your data.
2. Data Residency
2.1 EU-Only Data Storage
All your data is stored and processed exclusively within the European Union.
- Primary data storage: EU data centers
- Backup and disaster recovery: EU locations only
- No data transfers outside the EU
2.2 Sub-processors
We carefully select sub-processors that maintain EU data residency and GDPR compliance:
- Cloudflare: Edge network and DDoS protection (EU regions)
- Clerk: Authentication services (EU data processing)
3. Data Protection Measures
3.1 Technical Measures
- Encryption in Transit: All data transmitted using TLS 1.3
- Encryption at Rest: AES-256 encryption for stored data
- Access Controls: Role-based access with multi-factor authentication
- Network Security: Firewalls, intrusion detection, DDoS protection
- IP Anonymization: IP addresses are anonymized in logs for privacy
3.2 Organizational Measures
- Regular security training for all employees
- Data protection impact assessments (DPIAs)
- Documented security policies and procedures
- Incident response and breach notification procedures
- Regular third-party security audits
4. Data Subject Rights
We support all GDPR data subject rights:
How to Exercise Your Rights
To exercise any of your rights, contact us at privacy@eabrain.eu. We will respond within 30 days as required by GDPR.
| Right | Description | How We Support It |
|---|---|---|
| Access | Obtain a copy of your personal data | Export feature in account settings or upon request |
| Rectification | Correct inaccurate personal data | Self-service in account settings or upon request |
| Erasure | Delete your personal data | Account deletion in settings or upon request |
| Restriction | Limit processing of your data | Upon request via privacy@eabrain.eu |
| Portability | Receive data in machine-readable format | JSON/CSV export available |
| Objection | Object to certain processing | Upon request via privacy@eabrain.eu |
5. Lawful Basis for Processing
We process personal data under the following legal bases:
- Contract Performance (Article 6(1)(b)): Processing necessary to provide our services to you
- Consent (Article 6(1)(a)): For marketing communications and waitlist registration
- Legitimate Interest (Article 6(1)(f)): For security, fraud prevention, and service improvement
- Legal Obligation (Article 6(1)(c)): To comply with applicable laws
6. Data Processing Agreement (DPA)
For B2B customers, we offer a Data Processing Agreement that covers:
- Detailed description of processing activities
- Sub-processor list and notification procedures
- Technical and organizational measures
- Data breach notification procedures
- Audit rights
- Data deletion and return procedures
To request a DPA, contact us at enterprise@eabrain.eu.
7. Cookies and Tracking
7.1 Essential Cookies Only
We use only essential cookies necessary for the operation of our service. These include:
- Authentication session cookies
- Security cookies (CSRF protection)
- Load balancing cookies
7.2 No Tracking
We do not use tracking cookies, advertising cookies, or third-party analytics that track users across websites. Your privacy is our priority.
8. Data Breach Procedures
In the event of a personal data breach, we will:
- Investigate and contain the breach within 24 hours
- Notify the relevant supervisory authority within 72 hours (if required)
- Notify affected data subjects without undue delay (if required)
- Document the breach and remediation measures
- Review and improve security measures
9. International Transfers
We do not transfer personal data outside the European Economic Area (EEA).
All our infrastructure, including backup systems and sub-processors, operates within the EU. This ensures your data benefits from the full protection of EU data protection laws.
10. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days |
| Usage logs | 90 days (anonymized) |
| Support tickets | 2 years after resolution |
| Billing records | As required by tax law (typically 7 years) |
| Waitlist data | Until service launch or upon deletion request |
11. AI and Your Data
Your data is never used to train AI models.
- Your content is processed only to provide the service to you
- Each organization's data is completely isolated
- No cross-customer data sharing or learning
- You maintain full control over your data
12. Contact Our Data Protection Team
For any GDPR-related inquiries:
- Data Protection Email: privacy@eabrain.eu
- DPA Requests: enterprise@eabrain.eu
- General Inquiries: hello@eabrain.eu
13. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. For users in the Slovak Republic, this is:
Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Slovak Republic
https://dataprotection.gov.sk