— GDPR (EU) 2016/679 · EU Data Residency · SOC 2 Type II
Obtura is built from the ground up as a GDPR-first platform. As a Romanian company operating within the European Union, GDPR compliance is not a checkbox for us — it is a core architectural and operational principle. This page explains how we protect your data and support your own GDPR obligations.
100% of customer data stored in EU data centers (Frankfurt & Amsterdam). Data never leaves the EEA.
Infrastructure certified to SOC 2 Type II standards, audited annually by independent third parties.
GDPR-compliant Data Processing Agreement included with all plans. Available upon request.
All customer data is stored exclusively within European Union territory. Your data never leaves the EEA.
Obtura operates its entire infrastructure within EU-based data centers. Our primary region is Frankfurt, Germany (eu-central-1), with failover capacity in Amsterdam, Netherlands (eu-west-1). We do not route, process, or replicate customer data outside the European Economic Area.
This matters because many competing DevOps platforms are US-headquartered and operate under US law — including the CLOUD Act — which may require them to disclose your data to US government agencies regardless of where the data is stored. As a fully European company, Obtura is not subject to US data access laws.
Under GDPR, when you use Obtura to deploy applications that process personal data of your end users, you are the data controller and Obtura acts as a data processor. This requires a Data Processing Agreement (DPA) between us — as mandated by GDPR Article 28.
Our standard DPA:
To request a signed DPA, contact dpo@obtura.dev.
GDPR grants individuals significant rights over their personal data. As a data subject, you can exercise these rights with respect to the personal data Obtura holds about you as a customer.
Request a complete export of your account data via the dashboard under Settings → Privacy, or email alexserbwork@gmail.com.
Update most account data directly in Settings. For corrections to billing or other records, email alexserbwork@gmail.com.
Delete your account from Settings → Account → Delete Account. Full data deletion within 30 days (billing records retained 7 years per law).
Export all your account data and deployment configurations in JSON/CSV format from Settings → Privacy → Export Data.
Request restriction of processing in specific circumstances. Contact dpo@obtura.dev with details of your request.
Opt out of marketing at any time via email preferences. Object to legitimate-interest processing by contacting dpo@obtura.dev.
Withdraw consent for analytics cookies via the cookie banner. Withdraw marketing consent via email unsubscribe or account settings.
Lodge a complaint with ANSPDCP (Romania) at dataprotection.ro or with your local EU supervisory authority.
We respond to all rights requests within 30 days. Identity verification is required. There is no charge for exercising your rights.
GDPR Article 32 requires data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Here is what we have in place:
GDPR requires that we inform you of the sub-processors we engage to provide our services. We maintain strict contractual controls over all sub-processors and ensure they operate in compliance with GDPR.
Categories of sub-processors we use:
| Category | Location | Safeguard |
|---|---|---|
| Cloud Infrastructure (compute/storage) | EU (Germany, Netherlands) | EU-based, contractual |
| Payment Processing | EU / EEA | SCCs + adequacy decision |
| Transactional Email Delivery | EU preferred / SCCs where outside | SCCs + TOMs |
| Customer Support Platform | EU | Contractual + EU data residency |
| Application Error Monitoring | EU | EU hosted, contractual |
We will notify customers of any material changes to our sub-processor list at least 30 days in advance. The complete, up-to-date sub-processor list with named entities is available upon request at dpo@obtura.dev.
In the event of a personal data breach, Obtura follows a strict incident response and notification procedure in compliance with GDPR Articles 33 and 34:
Security team assesses severity and scope of the incident.
Affected customers notified with available details, even if investigation is ongoing.
ANSPDCP (supervisory authority) notified as required by GDPR Art. 33.
Breach notifications to customers will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. We maintain a breach register in accordance with GDPR Article 33(5).
Obtura has appointed a Data Protection Officer (DPO) as required under GDPR Article 37. Our DPO is responsible for overseeing compliance with GDPR, advising on data protection obligations, and acting as the point of contact for supervisory authorities and data subjects.
Data Protection Officer
Supervisory Authority
When you use Obtura to deploy applications that process your own customers' personal data, you become a data controller. Obtura helps you meet your own GDPR obligations:
Signed Data Processing Agreement available instantly, suitable for your own GDPR documentation.
Guarantee to your customers that their data is processed exclusively in the EU.
Built-in tools to export application data and logs to support your data subject access requests.
Complete audit trail of all platform actions to support your accountability obligations.
Strict isolation between deployments to prevent cross-customer data leakage.
All data encrypted at rest and in transit — no configuration required from you.
Encrypted environment variables and secrets vault — no plaintext credentials stored.
Granular RBAC so only authorized team members can access production data.