Cyphic provides enterprise-grade data security and satisfies its customers’ GDPR requirements acting as a data processor under Article 28. Our standard Data Processing Addendum (DPA) incorporating approved structural safeguards is automatically appended to our standard terms for all platform tiers.
1. Operational Framework Roles
We operate under a clearly segregated data responsibility model to ensure absolute compliance with cross-border mandates:
- Customer: Acts as the sole Controller of end-user personal data processed via our platforms.
- Cyphic: Acts strictly as a Processor for streaming payloads, scoring parameters, and telemetry metrics.
- Subprocessors: Limited to essential core cloud infrastructure, network monitoring, and system transactional distribution channels.
2. Global Edge & Subprocessors Architecture
To prevent localized data exposure, Cyphic leverages a distributed edge network topology. Data isolation is determined directly by your specific corporate deployment profile:
- Compute Infrastructure: Pinned locally to your selected region across our MENA, AMER and APAC edge node clusters.
- System Telemetry & Logs: Locked to EU-pinned environments for all European customer trajectories.
- Transactional Notifications: Restricted to dedicated EU-isolated data channels.
- Billing Processing: Regionally isolated to match the customer's specific commercial locale.
A complete, unredacted list of corporate entities acting as sub-processors is available via our secure console, and all architectural changes are communicated 30 days prior to deployment.
3. Cross-Border Transfers & Adequacy Safeguards
Where data processing bridges international boundaries outside the European Economic Area (EEA), Cyphic enforces the European Commission’s Standard Contractual Clauses (SCCs—2021 modules). This framework is reinforced by our local zero-retention architecture, TLS 1.3 transit encryption, and automatic tokenization of downstream identifiers before they leave your target perimeter.
4. Automated Data Subject Rights (DSAR)
Cyphic provides programmatic hooks enabling controllers to fulfill access, correction, erasure, and portability requests natively within 30 days. If an end-user contacts Cyphic directly, the request is flagged and forwarded immediately to your technical operations team without manual data exposure.
5. Accelerated Incident Notification
In the event of a verified security incident impacting personal data handled within our pipeline, Cyphic alerts your designated security contact without undue delay and targets a notification window of under 72 hours from confirmation.