GDPR Compliance

Sitenyx acts as a data processor when handling your business data (customer records, invoices, financial data) and as a data controller for user account data (login credentials, profile information). This distinction is clearly documented in our Data Processing Agreement (DPA), which defines the scope, purpose, and duration of processing.

We process personal data only on legitimate legal bases as defined in GDPR Article 6:

• Contract performance (Art. 6(1)(b)) Processing necessary to deliver the services you subscribed to, including website hosting, financial tool operations, and account management.
• Consent (Art. 6(1)(a)) For optional features like marketing emails, analytics, and AI-powered suggestions. Consent can be withdrawn at any time.
• Legitimate interest (Art. 6(1)(f)) For platform security, fraud prevention, and service improvements. We conduct balancing tests to ensure our interests do not override your rights.
• Legal obligation (Art. 6(1)(c)) For tax reporting, bookkeeping retention requirements, and regulatory compliance under Danish and EU law.

Under GDPR Articles 15-22, you have the following rights that we fully support:

• Right of access (Art. 15) Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) Correct inaccurate personal data or complete incomplete data.
• Right to erasure (Art. 17) Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20) Receive your data in a structured, commonly used, machine-readable format.
• Right to restriction (Art. 18) Restrict processing of your data in certain circumstances.
• Right to object (Art. 21) Object to processing based on legitimate interest or for direct marketing.

We implement comprehensive security measures as required by GDPR Article 32. This includes AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, multi-tenant data isolation via Finbuckle query filters, regular security audits, and automated vulnerability scanning. Our development practices follow OWASP guidelines, and all code changes undergo security review.

In the event of a personal data breach, we follow the notification requirements of GDPR Articles 33 and 34. We will notify the relevant supervisory authority (Datatilsynet in Denmark) within 72 hours of becoming aware of a breach, and notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

We provide a comprehensive Data Processing Agreement (DPA) in accordance with GDPR Article 28. The DPA covers the subject matter and duration of processing, the nature and purpose of processing, the types of personal data, categories of data subjects, and your rights as the data controller. Contact [email protected] to request our DPA.