Log in Contact

Security

Overview

GDPR Register provides a secure and compliant Software-as-a-Service (SaaS) platform for managing privacy and data protection documentation. Our infrastructure, hosted on Amazon Web Services (AWS) within the European Union, follows best-in-class security practices and privacy-by-design principles. We continuously improve our security features and controls to protect your data.

Data Center Location

The GDPR Register application (https://app.gdprregister.eu) is operated on Amazon Web Services (AWS) infrastructure in the EU-Central region (Frankfurt, Germany).

AWS infrastructure has been certified for the strictest industry standards, including:

  • ISO 27001, ISO 9001, ISO 27017, ISO 27018
  • PCI DSS Level 1
  • SOC 1, SOC 2, SOC 3
  • HIPAA, GDPR, FedRAMP, FIPS, and more


Full list of AWS Certifications, Regulations and Frameworks

Data Center Security

AWS data centers are secure by design, with multiple layers of physical and environmental controls, including:

  • 24/7 professional security staff and continuous video surveillance
  • Intrusion detection systems
  • Fire detection and suppression systems
  • Redundant electrical power and uninterruptible power supply (UPS)

Full list of AWS Data Center Controls

Data Encryption and Communications

GDPR Register employs AWS Relational Database Service (RDS) to securely store all data.
Data is encrypted at rest using AWS Key Management Service (KMS), which uses FIPS 140-2 validated hardware security modules to protect encryption keys.

All uploaded documents are stored within the same encrypted database environment.

All connections to the GDPR Register service use TLS 1.2 transport layer security, with data encrypted using 2048-bit RSA keys and SHA256withRSA signature algorithms.


Authentication

Users can enable Multi-Factor Authentication (MFA) for added account security.
During login, a one-time password (OTP) is sent to the user’s phone via SMS or Authy mobile application.
MFA can be activated directly from User Settings.


Reliability and Data Protection

To ensure reliability, GDPR Register uses AWS Elastic Load Balancing (ELB) across multiple application servers, automatically scaling with system load.

Automated encrypted backups are created several times per day.
As an additional protection measure, a daily offsite backup of encrypted data is securely transferred to the Zone Media Data Center in Tallinn, Estonia (EU member state).


Auditing

GDPR Register includes an Audit Trail that logs every user login and data transaction, including record creation, modification, and deletion.


Secure Development Standards

We follow the OWASP Top 10 Most Critical Web Application Security Risks to ensure our application is designed and maintained using industry-recommended security principles.
Our platform is built on the secure Laravel PHP framework, which includes native protection against CSRF, XSS, and SQL injection vulnerabilities.


External Service Providers

Chargebee
GDPR Register utilises Chargebee as a subscription billing provider for managing customer billing.
Chargebee is a PCI Data Security Standard (PCI DSS) Level 1 certified provider.
See Chargebee’s Security Overview

Stripe
Stripe is used as a payment gateway for credit card transactions and is tightly integrated with Chargebee.
Stripe is audited by an independent PCI Qualified Security Assessor (QSA) and certified as a PCI DSS Level 1 Service Provider.
View Stripe’s Security and Compliance Details

Intercom
Intercom provides our online chat and customer support services, integrated securely via JavaScript.
Intercom adheres to GDPR and other global privacy frameworks, and is hosted on industry-certified secure infrastructure.
Read Intercom’s Security Overview

Twilio
Twilio enables two-factor authentication (2FA) via Authy or SMS when enabled by the client.
Data is primarily processed in the EEA, with potential transfer of phone numbers to third countries if required by the user’s mobile network.
Twilio complies with GDPR and maintains ISO 27001 certification.
Learn More About Twilio Security


Vulnerability Scanning and Patching

We perform regular vulnerability scans using authorised security software (including Tenable.io, a PCI-DSS-approved scanning vendor).
Detected vulnerabilities are promptly assessed and patched as part of our secure development lifecycle.


Business Continuity

GDPR Register maintains a multi-region backup and recovery strategy.
In the unlikely event of a service interruption in the primary AWS Frankfurt region, systems can be restored in the AWS Ireland region within hours.
Offsite backups in Tallinn, Estonia provide additional resilience to ensure business continuity, even in extreme scenarios.


Internal Organisational Measures

GDPR Register implements strict internal security and privacy governance to protect customer data.
Access to systems and data is restricted based on the principle of least privilege, and all employees are subject to confidentiality obligations.

Our internal controls include:

  • Access Management: Role-based access control, mandatory MFA, and periodic access reviews.
  • Security Awareness: Regular employee training on data protection, phishing prevention, and secure development practices.
  • Policies and Procedures: GDPR Register follows established internal practices and guidelines for information security, incident management, and data handling, which are periodically reviewed and improved.
  • Vendor Management: Risk assessments and contractual safeguards for all third-party service providers.
  • Incident Response: Defined processes for detecting, reporting, and resolving security incidents promptly.

These organisational measures ensure that security and privacy are embedded in daily operations and throughout the entire lifecycle of the GDPR Register service.