← Back to Home

GDPR Commitment

Last Updated: April 4, 2026

1. Our Commitment to Data Privacy

Conboarding is deeply committed to compliance with the General Data Protection Regulation (GDPR). We recognize that as a platform designed to collect sensitive onboarding data, digital signatures, and secure secrets, we must adhere to the highest standards of data protection and privacy for our users in the European Economic Area (EEA) and the UK.

2. Controller vs. Processor Dynamics

Under GDPR, the distinction between a Data Controller and a Data Processor is vital. Here is how Conboarding operates:

  • You (The Agency) are the Data Controller: When you use Conboarding to request documents, personal info, or secrets from your clients, you determine the purpose and means of processing that data. You are responsible for ensuring you have a lawful basis to collect this data from your clients.
  • We (Conboarding) are the Data Processor: We simply provide the infrastructure (the software, servers, and encryption) to process your clients' data strictly on your behalf, according to your configurations.
  • We are a Controller for Agency Data: For the billing and account data of the Agency owners themselves, we act as the Data Controller.

3. Data Processing Agreement (DPA)

For our agency customers subject to GDPR, our standard Data Processing Agreement (DPA) is pre-incorporated into our Terms of Service. By utilizing Conboarding to process the personal data of European residents, you automatically enter into this DPA with us, satisfying Article 28 of the GDPR.

4. Sub-processors

To provide a world-class platform, we engage trusted third-party sub-processors. We have established appropriate DPAs with all of them:

  • Supabase: For secure database storage and authentication.
  • Vercel: For cloud hosting and infrastructure.
  • Paddle: Acting as our Merchant of Record for secure billing and subscription management.
  • AI Providers: For AI transcription and Auto-Fill features. (We enforce strict zero-retention policies ensuring no personal data is used to train their models).

5. Data Subject Rights

Conboarding’s platform is built to help Agencies fulfill their GDPR obligations to their Data Subjects (clients):

  • Right to Erasure (Right to be Forgotten): Agencies can easily delete client profiles, which cascade-deletes all associated files, submissions, and records from our databases.
  • Right to Access & Portability: Agencies can export client submissions and asset repositories to standard formats (.csv, .zip) to fulfill access requests.
  • Right to Rectification: Client portals can be unlocked to allow end-users to correct inaccurate information.

6. Security and Encryption

We implement robust technical and organizational measures to ensure a level of security appropriate to the risk. This includes SSL/TLS encryption for data in transit, AES-256 encryption for data at rest, and specific cryptographic handling for "Secure Secret" fields, ensuring GDPR compliance via security by design.

7. Contact our DPO

If you have any questions regarding our GDPR compliance, need to report a potential data breach, or wish to request a signed copy of our Data Processing Agreement, please contact our Data Protection Officer at:
dpo@conboarding.com