GDPR & UK GDPR Compliance

1. Our role under GDPR

For most engagements, Iedeo acts as a data processor on behalf of the client, who is the data controller. We process personal data only on documented instructions from the controller, captured in our standard Data Processing Agreement (DPA).

For our own marketing, recruitment, and support of www.iedeo.com, we act as a data controller. See our Privacy Notice for that scope.

2. Data Processing Agreement (DPA)

We sign a GDPR Article 28-compliant DPA on every engagement involving EU personal data. Our standard DPA covers:

• Subject matter, duration, nature and purpose of processing
• Type of personal data and categories of data subjects
• Obligations and rights of the controller
• Confidentiality of personnel processing data
• Security of processing (Article 32)
• Sub-processor engagement rules (Article 28(2))
• Assistance with data subject requests (Articles 12-22)
• Assistance with security, DPIAs and prior consultation (Articles 32-36)
• Deletion or return of personal data at end of engagement
• Audit rights for the controller

We accept controller-issued DPAs and offer our template if preferred. Standard turnaround: 2-3 business days for legal review.

3. Lawful basis

Iedeo does not determine the lawful basis on behalf of clients. We support the lawful basis identified by the controller — contract, consent, legitimate interest, legal obligation, vital interest, or public task — and design controls accordingly (e.g., consent capture flows, contract-execution-only processing, etc.).

4. Sub-processor list

We maintain a current list of sub-processors used for engagements processing EU personal data:

• AWS — primary cloud, EU regions (eu-central-1, eu-west-1, eu-west-3)
• OpenAI — LLM provider (where chosen by client); zero-retention API enabled by default; not used where data residency forbids
• Anthropic (Claude) — LLM provider (where chosen by client); zero-retention enabled
• Google Cloud (Gemini) — LLM provider (where chosen by client)
• Self-hosted Llama 3 / Mistral — used when external API providers are not permitted
• Stripe / Wise — for invoicing (controller data only, not processed PII)
• HubSpot / Notion — internal sales and PM (we do not put client personal data here)

Clients are notified at least 30 days before any new sub-processor is engaged, with right to object.

5. Cross-border transfers (Schrems II)

Iedeo's engineering team is based in Chennai, India. Where Iedeo personnel access EU personal data for development, support or operations, the transfer to India is governed by:

• Standard Contractual Clauses (SCCs) — EU Commission 2021/914 Module 2 (Controller-to-Processor), included in our DPA
• Transfer Impact Assessment (TIA) — completed per engagement; available on request
• Supplementary measures — encryption-in-transit and at-rest, role-based access controls, audit logging, least-privilege defaults

For data-residency-strict engagements we deploy entirely in EU regions with no Iedeo personnel access to identifiable personal data — only operational metadata and aggregated logs.

6. Data subject requests (DSR)

Per GDPR Articles 12-22, data subjects have rights of access, rectification, erasure, restriction, objection, portability, and rights related to automated decision-making.

Iedeo as a processor:

• Routes any DSR received directly to the controller within 24 hours
• Provides controller-requested data extracts within 5 business days
• Implements controller-requested deletions within 7 business days
• Maintains audit logs of all DSR-related operations

7. Security of processing (Article 32)

Standard security controls on every EU engagement:

• Encryption in transit (TLS 1.3+) and at rest (AES-256)
• Role-based access control with least privilege
• MFA enforced on all Iedeo internal accounts
• Audit logs retained for 12 months (extendable per controller request)
• Secrets management via AWS Secrets Manager / HashiCorp Vault
• VPC isolation between client environments
• PII redaction in logs (per client schema)
• Quarterly vulnerability scans, annual penetration tests

8. Personal data breach notification

Iedeo notifies the controller without undue delay (target: 24 hours) of any personal data breach affecting client data. Notification includes nature of breach, categories and approximate numbers of data subjects affected, likely consequences, and measures taken or proposed.

9. DPIA support

For High-Risk AI use cases (under both GDPR Article 35 and the EU AI Act), we contribute architecture, threat-modelling, and risk-mitigation inputs to the controller's DPIA. We can deliver a DPIA-input pack within 5 business days of scope-freeze.

10. EU AI Act alignment

For AI use cases falling under the EU AI Act, Iedeo classifies the deployment by risk category and implements applicable controls:

• High-Risk: risk management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity, conformity assessment readiness
• Limited Risk (e.g., chatbots): transparency obligation — users informed they are interacting with AI
• Minimal Risk: voluntary codes of conduct, baseline good practice

See our Europe AI services page for engagement-level detail.

11. UK GDPR & DPA 2018

For UK engagements we operate under UK GDPR and the UK Data Protection Act 2018. Differences from EU GDPR are minimal but tracked — most notably the role of the UK ICO, UK adequacy regulations, and any UK-specific derogations. We sign the UK Addendum to the EU SCCs where appropriate.

12. Records of processing activities

Iedeo maintains an internal Record of Processing Activities (ROPA) per Article 30, listing all controller engagements where we act as processor. Available on request from the controller.

13. Contact

For GDPR-related questions, DPA requests, sub-processor questions, audit requests, or DSR routing:

• Email: [email protected]
• Data Protection Lead: Iedeo Tech Labs Private Limited
• Address: First Floor, No 5, 2nd Cross St, Vijaya Nagar, Velachery, Chennai 600042, India