Sikurd is a US-based SaaS that operates as a processor on behalf of MSP customers — most of whom are themselves processors for their end customers. GDPR compliance is a continuous program, not a check-box. This page summarises where we are.
For specifics about your tenant, your data, or your customers’ data, email privacy@sikurd.com. We respond within 5 business days. Data Subject Access Requests (DSARs) are honoured within the statutory 30 days, usually within 72 hours.
In place today
Programs and controls live in production. These are what customers can rely on right now under their DPA with us.
Privacy policy with GDPR Article 13/14 disclosures
✓ LiveData categories, legal basis per category, retention periods, transfer mechanism, data subject rights with how to exercise them, supervisory authority contact info.
Data Processing Agreement (DPA) with SCCs
✓ LiveArticle 28 processor obligations, Standard Contractual Clauses (Module Two) for international transfers, breach notification SLA, sub-processor change notice, audit rights, data deletion on termination.
Sub-processor disclosure
✓ LiveEvery third party that touches customer data, with purpose, location, transfer mechanism, and a link to their own DPA. Versioned changelog, plus a self-serve subscription for 30-day advance notice of changes.
View the list & subscribe to change notices →Data subject rights: access, portability, erasure, restriction
✓ LiveExport your data, delete your account or your whole organization, restrict processing (pause all monitoring, alerting, and backups without deleting anything — and resume just as easily), manage marketing consent, and correct your profile. All self-serve from account settings, with a 30-day cancel window on deletion to prevent accidents. Objection requests are handled via privacy@sikurd.com.
Marketing consent separated from account signup
✓ LiveSignup is consent to transactional email only (billing, security, onboarding). Marketing email requires explicit opt-in, with timestamped audit trail. Opt-out preserved as evidence of compliance with Art 7(1).
Consent audit log
✓ LiveEvery consent change — cookie banner acceptance, privacy-policy acceptance, marketing opt-in/out, DSAR requests — recorded with IP, user agent, and timestamp.
Cookie notice + standalone cookie policy
✓ LiveStrictly-necessary cookies only (session, CSRF, theme preference). No third-party analytics, advertising, or tracking. Disclosed up-front to every visitor, with a full per-cookie inventory — name, purpose, lifespan — published as a standalone policy.
Read the cookie policy →Encryption at rest + in transit
✓ LiveAES-256-GCM for sensitive credentials, TLS 1.3 for all customer traffic. Encryption keys rotatable via versioned envelope format.
Documented data-retention windows
✓ LiveEach data category has a retention limit enforced by an automated daily sweep. Soft-deleted records purge to hard-deleted on schedule.
Breach response runbook + named security contact
✓ LiveA maintained internal incident-response runbook drives the process: triage, supervisory-authority notification within 72 hours (Art. 33), affected data subjects without undue delay (Art. 34), and customer notice per the DPA. Our named security contact — Evan Fannin, founder — owns every step. Report a suspected incident to privacy@sikurd.com.
What’s next
GDPR compliance is a continuous program, and we keep extending it. If a specific control, certification, or timeline is a buying criterion for your organisation, email privacy@sikurd.com and we’ll walk you through our current roadmap, usually under NDA.
Questions, audits, or specific requests
Email privacy@sikurd.com — we handle DSARs, security questionnaires, DPA negotiations, and sub-processor questions through that address. For breach reports or suspected incidents involving your data, the same email reaches our security contact, Evan Fannin, directly.
This page is informational and isn’t a substitute for your DPA or the privacy policy. The DPA is the contractual document; this page explains how we operate the program behind it.