EagoraEagora
Compliance

GDPR at Eagora

We treat your data, and your subscribers' data, with the seriousness it deserves. GDPR-ready by default, with the controls and documentation to prove it.

Get started
Highlights

Built for GDPR from day one

Lawful basis tooling

Consent capture, double opt-in, granular preferences and audit trails on every change.

Self-serve DPA

Sign our Data Processing Agreement in two clicks from your dashboard — at no cost.

EU data residency

Pin customer data to EU regions on Business and Enterprise plans.

Subject rights API

Build right-to-access, right-to-erasure and right-to-portability flows in minutes.

Subprocessor transparency

Live subprocessor list with 30-day change notifications by email.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest, with HSM-backed key management.

The details

Lawful basis

Eagora provides tools for consent capture, double opt-in, soft opt-in, contract-based sending and legitimate interest reviews — covering every lawful basis under GDPR Article 6. Every consent change is timestamped and exportable for audit.

Data Processing Agreement

A DPA covering the latest EU SCCs (Standard Contractual Clauses, 2021) is available to every customer at no cost. Self-serve sign in your dashboard or request a counter-signed copy via [email protected].

Subprocessors

A complete, live subprocessor list is maintained at eagora-ai.com/subprocessors. We notify customers by email 30 days before any change, giving you a meaningful window to object.

Subject rights

Our admin tools and API let you action right-to-access, right-to-erasure, right-to-portability and right-to-restriction requests in minutes. Audit trails on every request, with response SLAs documented in your DPA.

EU data residency

On Business and Enterprise plans, you can pin storage of customer data to our Frankfurt or Dublin regions. Sending infrastructure is geographically distributed but never moves data outside the EU when residency is enabled.

International transfers

When transfers are necessary, they're governed by the EU SCCs and supplementary measures including encryption-at-rest with customer-managed keys.

Data retention

Customer-defined retention windows on subscriber data and events. Hard delete is real delete — purged from backups within 30 days.

Breach notification

Documented incident response with named on-call roles. We commit to notifying affected customers within 72 hours of a confirmed breach.

Children's data

Eagora is not intended for use by people under 16. We provide tooling to help our customers comply with age-verification requirements.

Certifications

Audited and accredited

SOC 2 Type II
ISO 27001
HIPAA-ready
GDPR-aligned

Frequently asked questions

When you use Eagora, you're the controller of your subscribers' personal data. Eagora acts as the processor. Our DPA documents the relationship in full.

Questions about compliance?

Our security and legal team answers customer questions in under 48 hours.

Buy credits Talk to sales