GDPR · Article 28 Processor
GDPR · Article 28 Processor GDPR
compliance.
DialPhone processes customer personal data as a Processor under GDPR Article 28. EU data residency, SCCs, and a published DPA make compliance straightforward for EU-based customers and US customers with EU data subjects.
GDPR compliance is binary at the surface — a vendor either signs a Data Processing Agreement and offers EU residency, or they do not — but in practice the implementation details around transfer mechanisms, subprocessor change notice, and data-subject-rights tooling determine whether the vendor is genuinely usable by an EU-based controller. DialPhone is a Processor for customer personal data under Article 28; the customer (typically the business using DialPhone) is the Controller for the data their employees and end-users generate inside the service.
Three transfer mechanisms apply depending on where the controller and the data subject sit. For EU-to-EU transfers, EU data residency means the data does not leave EU regions (Frankfurt and Dublin) unless the customer enables cross-region replication explicitly. For EU-to-non-EU transfers, the Standard Contractual Clauses (2021 Module Two) attach to the Data Processing Agreement automatically. For UK transfers, the UK International Data Transfer Addendum (IDTA) attaches; for Swiss transfers, the Swiss FADP addendum.
Data-subject-rights tooling lives in the admin portal: access, export, and deletion requests for any user under your DialPhone account complete inside the product. For cases where DialPhone needs to assist (e.g. requests that involve subprocessor data or backup archives), the [email protected] channel handles the response within statutory deadlines. The subprocessor registry publishes the full list with 30-day advance notice of any change. For broader privacy posture, see the privacy commitments page.
Measures
Technical & organizational
- EU data residency option (Frankfurt, Dublin) with no cross-region replication unless customer-enabled
- Standard Contractual Clauses (SCCs) for transfers outside the EEA
- UK International Data Transfer Addendum (IDTA) for UK transfers
- Swiss FADP addendum for Swiss transfers
- Data Processing Agreement (DPA) executed with every paid plan, auto-incorporated into Terms
- Appointed EU Representative per GDPR Article 27
- Data Protection Officer (DPO) for privacy inquiries
- 72-hour breach notification to Controllers
- Subprocessor registry with 30-day advance change notices
Data Subject Rights
Rights supported
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Rights related to automated decision-making (Art. 22)
Documents
Reference
GDPR FAQ
Is DialPhone GDPR compliant?
Yes. DialPhone processes personal data per GDPR Article 28 as Processor for customers who are Controllers. The DPA is auto-incorporated into every paid subscription; the SCCs cover transfers where needed.
Where is EU customer data stored?
EU regions only (Frankfurt, Dublin) when EU residency is enabled, default for EU-billed accounts. Data does not cross regions without customer-enabled cross-region replication.
Do you have an EU Representative?
Yes, appointed per GDPR Article 27 for non-EU-established entities. Contact details available via [email protected].
How do I respond to a Data Subject Rights request?
Tools inside the admin portal handle access, export, and deletion requests for data in DialPhone. For requests DialPhone needs to assist with, contact [email protected].
Can I execute a signed DPA?
The DPA at /legal/dpa is auto-incorporated. Countersigned paper copies for procurement: request via [email protected].
Who is the Data Protection Officer?
DialPhone's DPO is reachable at [email protected]. Named individual details provided under NDA to regulated-industry customers.