Sikurd

Trust

GDPR program

Last updated May 28, 2026

Sikurd is a US-based SaaS that operates as a processor on behalf of MSP customers — most of whom are themselves processors for their end customers. GDPR compliance is a continuous program, not a check-box. This page summarises where we are.

For specifics about your tenant, your data, or your customers’ data, email privacy@sikurd.com. We respond within 5 business days. Data Subject Access Requests (DSARs) are honoured within the statutory 30 days, usually within 72 hours.

Document
Privacy policy
Document
Data Processing Agreement
Document
Sub-processors

In place today

Programs and controls live in production. These are what customers can rely on right now under their DPA with us.

  • Privacy policy with GDPR Article 13/14 disclosures

    ✓ Live

    Data categories, legal basis per category, retention periods, transfer mechanism, data subject rights with how to exercise them, supervisory authority contact info.

  • Data Processing Agreement (DPA) with SCCs

    ✓ Live

    Article 28 processor obligations, Standard Contractual Clauses (Module Two) for international transfers, breach notification SLA, sub-processor change notice, audit rights, data deletion on termination.

  • Sub-processor disclosure

    ✓ Live

    Every third party that touches customer data, with purpose, location, transfer mechanism, and a link to their own DPA. Versioned changelog.

  • Data subject rights — access, portability, erasure, restriction

    ✓ Live

    Export your data, delete your account, manage marketing consent, request rectification — all self-serve from your account settings. 30-day cancel window on deletion to prevent accidents.

  • Marketing consent separated from account signup

    ✓ Live

    Signup is consent to transactional email only (billing, security, onboarding). Marketing email requires explicit opt-in, with timestamped audit trail. Opt-out preserved as evidence of compliance with Art 7(1).

  • Consent audit log

    ✓ Live

    Every consent change — cookie banner acceptance, privacy-policy acceptance, marketing opt-in/out, DSAR requests — recorded with IP, user agent, and timestamp.

  • Cookie notice

    ✓ Live

    Strictly-necessary cookies only (session, CSRF, theme preference). No third-party analytics, advertising, or tracking. Disclosed up-front to every visitor.

  • Encryption at rest + in transit

    ✓ Live

    AES-256-GCM for sensitive credentials, TLS 1.3 for all customer traffic. Encryption keys rotatable via versioned envelope format.

  • Documented data-retention windows

    ✓ Live

    Each data category has a retention limit enforced by an automated daily sweep. Soft-deleted records purge to hard-deleted on schedule.

  • Breach notification process

    ✓ Live

    Documented 72-hour notification SLA for the supervisory authority and any data subjects whose data is materially affected, per Articles 33 and 34. Triage runbook in place.

In progress

Active work — not finished, but on the near-term path. If any of these is a buying criterion for your organisation, tell us — we can usually share a more specific timeline under NDA.

  • Article 27 EU + UK representative

    In progress

    Designating a representative service so EU and UK data subjects + supervisory authorities have a named contact in-jurisdiction. Standard practice for non-EU-based SaaS — coming this quarter.

  • Counsel review of the DPA

    In progress

    External privacy counsel reviewing the published DPA + SCCs annex. We'll publish the reviewed version once that's complete; customers can request the current draft via privacy@sikurd.com.

  • Detailed cookie inventory in the privacy policy

    In progress

    Enumerating every cookie name, purpose, and lifespan in the privacy policy. The cookie list itself is short (strictly-necessary only); this is about documenting it to the granularity that some EU member-state guidelines prefer.

  • Sub-processor change subscription

    In progress

    Self-serve mailing list for customers who want advance notice of new sub-processors. Until this ships, opt in by emailing privacy@sikurd.com — we'll add you to the manual list.

On the roadmap

Scoped, not yet started. Listed here so customers can see what we expect to add over the next year. Order may change based on what prospects + customers actually ask for.

  • EU data residency option

    Roadmap

    Stand up an EU-region Postgres + edge deployment for customers whose end-customer base requires data to stay in-region. Current US infrastructure is covered by SCCs; this is for regulated-industry MSP customers (healthcare, banking, public sector) who need stricter than SCCs.

  • Data Protection Impact Assessment (DPIA)

    Roadmap

    Formal DPIA covering the AI-summary feature and the active-call records pipeline — both touch the boundary of 'high-risk' processing under Article 35. Useful artifact for enterprise procurement reviews.

  • Independent third-party security review

    Roadmap

    SOC 2 Type II is the most-asked-for security artifact by MSP customers. Scoped for the next-but-one quarter; will pair with annual penetration testing.

Questions, audits, or specific requests

Email privacy@sikurd.com — we handle DSARs, security questionnaires, DPA negotiations, and sub-processor questions through that address. For breach reports or suspected incidents involving your data, the same email reaches our on-call response.

This page is informational and isn’t a substitute for your DPA or the privacy policy. The DPA is the contractual document; this page explains how we operate the program behind it.