GDPR & Security at AttendSure
Last updated: August 18, 2025
1. Our Commitment
AttendSure was built for EU data-protection from day one.
We store data in the EU and follow the strict technical and organisational measures described below.
2. How We Handle Your Data
| Topic | You Are | We Are | What It Means |
|---|---|---|---|
| Candidate Data (documents you upload / forward) | Controller | Processor | You decide purpose & lawful basis; we process only under your instructions. |
| Customer & Usage Data (account, billing, logs) | – | Controller | We determine purposes for this limited data and keep it secure. |
Download our DPA (Data-Processing Agreement) →Download DPA
3. Data Residency & Transfers
- Primary storage: AWS Stockholm (Sweden).
- International transfers: When we must send data outside the EEA (e.g., Stripe US), we rely on Standard Contractual Clauses.
4. Sub-processors
| Vendor | Purpose | Location | Safeguard |
|---|---|---|---|
| AWS | Hosting & S3 file storage | EU | ISO-27001, SCCs |
| Meta (WhatsApp Business Platform) | WhatsApp message delivery | SCCs; WhatsApp policies | |
| Stripe | Payments | USA / EU | PCI-DSS, SCCs |
| MailerSend / Amazon SES | Transactional email | EU / USA | SCCs |
| Google APIs | Optional Sheet export | Worldwide | OAuth 2.0, limited scope |
| Upstash, Inc. (managed Redis) | In-memory queue & cache | Frankfurt, Germany (eu-central-1) | EEA (no transfer) |
Last reviewed: April 2024 – we'll e-mail customers 14 days before adding a new sub-processor.
5. Security Controls
- Encryption in transit – TLS 1.2+
- Encryption at rest – AES-256 across DB & object storage
- Least-privilege access – Role-based IAM, hardware MFA for production ops
- Pen-testing – Independent test annually; critical findings patched within 30 days
- Back-ups – Encrypted, replicated, 30-day retention, disaster-recovery drill twice a year
6. Your Privacy Tools
- Delete All End‑Client Data inside Settings → Legal & Compliance (completed within 24–72 h).
- Workspace‑wide export: JSON.
- Individual end‑client export and delete available by phone number.
- Access, correction, portability requests: e‑mail privacy@attendsure.com (response ≤ 30 days).
7. Breach Notification
If we ever detect unauthorised access to personal data, we will notify affected customers and supervisory authorities within 72 hours, in line with GDPR Art. 33/34.
8. Availability & Uptime
AttendSure targets 99.5% monthly uptime, excluding scheduled maintenance (notified in advance). For incidents affecting personal data, we will notify Controllers without undue delay to support their GDPR Art. 33/34 duties.
9. Need More Info?
- Full Privacy Policy → Privacy Policy
- Terms of Service → Terms of Service
- Contact our DPO → privacy@attendsure.com
Last security questionnaire completed: August 2025 — request a copy at security@attendsure.com.