GDPR

Our GDPR position

OpenVoy is based in Berlin and built EU-first. GDPR is not bolted on — it is the baseline.

Data Processing Agreement

A standard DPA, including EU SCCs, is available on request and can be countersigned without negotiation in 95% of cases. Email privacy@openvoy.com.

EU data residency

Frankfurt by default on every plan. Optional Dublin or Stockholm regions on Scale. We do not replicate to non-EU regions without explicit written consent.

Subprocessors

Current list at /subprocessors. 30-day notice for additions.

Data subject rights

Access, rectification, erasure, restriction, portability, and objection are all supported in-product (admin → privacy) and via email request. SLA: 14 days for response, 30 days for full execution.

Breach notification

Customers notified within 48 hours of confirmed breach impacting their data. Supervisory authority notified within 72 hours per Article 33.

DPO

Reachable at dpo@openvoy.com.