This page outlines how RapidFoundry LTD ("we", "us", "our") complies with Regulation (EU) 2016/679, the General Data Protection Regulation ("GDPR"). This statement is intended to provide transparency regarding our data protection practices and should be read in conjunction with our Privacy Policy, which details the specific personal data we collect and how we use it.
Our Commitment to GDPR Compliance
RapidFoundry LTD is committed to protecting the fundamental rights and freedoms of natural persons with regard to the processing of personal data. As an EU-based Software-as-a-Service provider, we have implemented comprehensive measures to ensure full compliance with the GDPR across all aspects of our operations.
We recognise that data protection is not merely a legal obligation but a cornerstone of trust between our organisation, our customers, and the individuals whose data we process. Our compliance programme is subject to continuous review and improvement to reflect evolving regulatory guidance and best practices.
Roles: Data Controller and Data Processor
When We Act as Data Controller
Pursuant to Article 4(7) GDPR, RapidFoundry LTD acts as the data controller when we determine the purposes and means of processing personal data. This includes:
- Processing personal data of our website visitors
- Managing accounts and relationships with our customers
- Processing employee and job applicant data
- Conducting marketing and communications activities
- Administering billing and contractual matters
As data controller, we bear full responsibility for ensuring that processing activities comply with GDPR requirements and for responding to data subject requests.
When We Act as Data Processor
Pursuant to Article 4(8) GDPR, RapidFoundry LTD acts as a data processor when we process personal data on behalf of our customers in connection with the provision of our SaaS platform. In this capacity:
- Our customers remain the data controllers for the personal data they upload to or process through our platform
- We process such data strictly in accordance with our customers' documented instructions
- We maintain appropriate Data Processing Agreements with all customers
- We do not use customer data for our own purposes beyond what is necessary to provide the contracted services
Lawful Processing Principles (Article 5 GDPR)
RapidFoundry LTD adheres to the data protection principles set forth in Article 5 GDPR. All personal data processing activities are conducted in accordance with the following principles:
Lawfulness, Fairness, and Transparency
We process personal data lawfully, fairly, and in a transparent manner. Individuals are informed about how their data is processed through our Privacy Policy and other applicable notices.
Purpose Limitation
Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
Data Minimisation
We ensure that personal data processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Accuracy
We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate data is erased or rectified without delay.
Storage Limitation
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, subject to applicable legal retention requirements.
Integrity and Confidentiality
We implement appropriate technical and organisational measures to ensure the security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Accountability
We maintain documentation and records to demonstrate compliance with the above principles and all applicable GDPR requirements.
Legal Bases for Processing
In accordance with Article 6 GDPR, RapidFoundry LTD processes personal data only where we have identified a valid legal basis. The legal bases upon which we rely include:
- Contractual Necessity (Article 6(1)(b)): Processing necessary for the performance of a contract with the data subject or to take pre-contractual steps at their request
- Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject
- Legitimate Interests (Article 6(1)(f)): Processing necessary for the purposes of legitimate interests pursued by us or a third party, provided such interests are not overridden by the data subject's rights and freedoms
- Consent (Article 6(1)(a)): Where the data subject has given explicit consent to processing for one or more specific purposes
Where we process special categories of personal data, we ensure that an additional condition under Article 9 GDPR is satisfied. Details regarding the specific legal bases applied to particular processing activities are set out in our Privacy Policy.
Data Processing Agreements
In accordance with Article 28 GDPR, RapidFoundry LTD enters into Data Processing Agreements ("DPAs") with all parties with whom we have a controller-processor relationship.
DPAs with Our Customers
When acting as a data processor on behalf of our customers, we provide a comprehensive DPA that addresses all requirements of Article 28(3) GDPR, including:
- The subject matter, duration, nature, and purpose of processing
- The types of personal data processed and categories of data subjects
- The obligations and rights of the controller
- Our commitment to process data only on documented instructions
- Confidentiality obligations for personnel
- Security measures implemented
- Conditions for engaging subprocessors
- Assistance with data subject rights and compliance obligations
- Data deletion or return upon termination
- Audit and inspection rights
Our standard DPA is available upon request and forms part of our Terms of Service.
DPAs with Our Subprocessors
We maintain DPAs with all subprocessors that meet or exceed the data protection obligations contained in our agreements with customers, ensuring the same level of protection throughout the processing chain.
Subprocessors and Vendor Management
RapidFoundry LTD engages third-party subprocessors to assist in providing our services. We maintain a rigorous vendor management programme to ensure all subprocessors meet our data protection standards.
Subprocessor Due Diligence
Before engaging any subprocessor, we conduct a thorough assessment of their data protection practices, including:
- Review of security certifications and audit reports
- Assessment of technical and organisational measures
- Evaluation of data transfer mechanisms where applicable
- Verification of GDPR compliance capabilities
Subprocessor List
We maintain a current list of subprocessors, which is available to customers upon request or through our customer portal. This list includes the identity, location, and processing activities of each subprocessor.
Subprocessor Changes
In accordance with our DPA terms, we provide customers with advance notice of any intended changes to subprocessors, affording them the opportunity to object to such changes on reasonable data protection grounds.
International Data Transfers and Safeguards
RapidFoundry LTD is headquartered in the European Union. Where personal data is transferred outside the European Economic Area ("EEA"), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR (Articles 44–49).
Transfer Mechanisms
We rely on the following mechanisms to legitimise international data transfers:
- Adequacy Decisions (Article 45): Transfers to countries that have received an adequacy decision from the European Commission
- Standard Contractual Clauses (Article 46(2)(c)): We utilise the European Commission's Standard Contractual Clauses ("SCCs") adopted pursuant to Commission Implementing Decision (EU) 2021/914 for transfers to countries without an adequacy decision
- Supplementary Measures: Where required following a transfer impact assessment, we implement additional technical, contractual, and organisational measures to ensure an essentially equivalent level of protection
Transfer Impact Assessments
For transfers relying on SCCs, we conduct transfer impact assessments to evaluate whether the legal framework of the recipient country ensures adequate protection. These assessments consider relevant legislation, access by public authorities, and the effectiveness of data subject rights.
EU-U.S. Data Privacy Framework
Where applicable, we may rely on the EU-U.S. Data Privacy Framework for transfers to certified U.S. organisations, following the European Commission's adequacy decision of 10 July 2023.
Technical and Organisational Measures
Pursuant to Articles 24 and 32 GDPR, RapidFoundry LTD implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by our processing activities.
Technical Measures
- Encryption: Data at rest and in transit is protected using industry-standard encryption protocols (AES-256 and TLS 1.2+)
- Access Controls: Role-based access controls, multi-factor authentication, and the principle of least privilege
- Network Security: Firewalls, intrusion detection systems, and regular vulnerability assessments
- Pseudonymisation: Applied where appropriate to reduce risks to data subjects
- Backup and Recovery: Regular encrypted backups with tested restoration procedures
- Logging and Monitoring: Comprehensive audit logging and real-time security monitoring
Organisational Measures
- Information Security Policies: Documented policies governing data handling, access, and security
- Employee Training: Regular data protection and security awareness training for all personnel
- Confidentiality Agreements: All employees and contractors are bound by confidentiality obligations
- Incident Response: Documented procedures for identifying, reporting, and responding to security incidents
- Business Continuity: Plans to ensure availability and resilience of processing systems
- Regular Audits: Periodic internal and external audits of security controls
Certifications
RapidFoundry LTD maintains [ISO 27001 / SOC 2 Type II / other applicable certifications] to demonstrate our commitment to information security best practices. Copies of relevant certifications are available to customers upon request.
Data Subject Rights Support
RapidFoundry LTD is committed to facilitating the exercise of data subject rights under Chapter III of the GDPR.
When We Are the Controller
Where we act as data controller, individuals may exercise their rights directly with us. We respond to valid requests without undue delay and within one month, subject to extension where permitted under Article 12(3) GDPR. Full details of how to exercise these rights are provided in our Privacy Policy.
When We Are the Processor
Where we act as data processor, we assist our customers (as controllers) in responding to data subject requests in accordance with our DPA obligations and Article 28(3)(e) GDPR. This includes:
- Providing technical functionality to enable customers to respond to access, rectification, erasure, and portability requests
- Promptly forwarding any requests received directly from data subjects to the relevant customer
- Providing information and assistance necessary for customers to fulfil their obligations
Rights Supported
We support the following data subject rights as applicable:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision-making (Article 22)
Data Breach Procedures
RapidFoundry LTD maintains documented procedures for detecting, investigating, and responding to personal data breaches in accordance with Articles 33 and 34 GDPR.
Breach Detection and Assessment
We employ technical monitoring and organisational procedures to detect potential breaches promptly. Upon detection, our incident response team assesses the nature, scope, and potential impact of the breach.
Notification to Supervisory Authorities (Article 33)
Where we act as data controller and a breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Notification to Data Subjects (Article 34)
Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, we communicate the breach to affected data subjects without undue delay, unless an exception under Article 34(3) applies.
Notification to Customers (Processor Role)
Where we act as data processor and become aware of a personal data breach affecting customer data, we notify the affected customer without undue delay, providing sufficient information to enable the customer to fulfil its own notification obligations.
Documentation
We maintain records of all personal data breaches, including the facts, effects, and remedial actions taken, in accordance with Article 33(5) GDPR.
Data Minimisation and Retention Practices
Data Minimisation
In accordance with Article 5(1)(c) GDPR, we apply data minimisation principles throughout our operations:
- We collect only the personal data necessary for specified purposes
- We regularly review data collection practices to eliminate unnecessary processing
- We design our systems and processes with data minimisation as a default consideration
- We encourage customers to apply data minimisation when using our platform
Retention Practices
Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected. Our retention practices are governed by:
- Retention Schedule: We maintain a documented retention schedule specifying retention periods for different categories of personal data
- Legal Requirements: Certain data may be retained longer where required by applicable law (e.g., tax, accounting, or regulatory obligations)
- Contractual Obligations: Customer data processed in our role as processor is retained in accordance with customer instructions and our DPA terms
- Secure Deletion: Upon expiry of retention periods or termination of services, personal data is securely deleted or anonymised
Specific retention periods for categories of personal data we control are detailed in our Privacy Policy.
Contact Information
For questions regarding this GDPR Compliance Statement, our data protection practices, or to exercise data subject rights, please contact us:
RapidFoundry LTD
Isiodou 13 Unit 401
Limassol, 3031]
Cyprus
General Data Protection Enquiries:
Email: privacy@rapidfoundry.net
Updates to This Statement
We may update this GDPR Compliance Statement from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We encourage periodic review of this page for the latest information on our compliance practices.