Data protection at Seatti
Seatti is a trademark of Seatti UG (haftungsbeschränkt), a German company (Imprint). We respect and value the protection of personal data, both for our customers and for ourselves, and are constantly striving to fully comply with the European GDPR regulations and in particular the GDPR regulations. This document describes our comprehensive programme to not only comply with the law, but to ensure every user of Seatti Services that their data is secure. If you have any further questions regarding compliance with the GDPR, data security and data protection rights, please contact us at contact@seatti.co.
- Services
- Privacy by Design
- Data commission processing
- Privacy Policy Website
Services
We offer a paid service to businesses and other organisations who wish to use our services as an integrated professional tool, which can also be integrated with third-party tools to enhance the user experience for our users. For this, we have a data processing agreement that sets out how we process personal data as a data processor on behalf of a client.
Privacy by Design
At Seatti, we make a point of designing our services in such a way that the rights of users are already protected in the best possible way by the way they are implemented. Consequently, our services are built according to the requirements of Privacy by Design (also called data protection by design), which are also laid down in Art. 25 of the European GDPR. This means that appropriate technical and organisational measures to ensure data protection are already taken into account when determining the means of data processing. This is manifested in a set of principles on how we set up our infrastructure and how we collect and process data, and are an integral part of our AV contract as a data processor.
Data minimisation and pseudonymisation
We only store and process as much data as necessary to provide our core functionalities and a great user experience. We actively avoid storing data for the sole purpose of marketing, data accumulation or any other purpose not related to a smooth experience for our users. Personal data is only stored pseudonymously and, where possible, anonymised before it even enters our processing systems. In concrete terms, only a user ID is stored, while any personal allocation data is only added directly in the customer system and is neither stored nor can be viewed in our systems.
Data storage and processing within the EU
To ensure full transparency, familiarity and compliance with regional regulations and the GDPR, we store and process data as often as possible on servers located within the territory of the European Union. As of now, all data processing of personal data takes place on servers of our service provider aws in Frankfurt, Germany. See the list of sub-processors for more details.
Security infrastructure
Our infrastructure and internal security boundaries should meet the highest security standards in order to preventively avoid any kind of data breach. This concerns the security policies of our team, e.g. the way we work together and communicate sensitive data or how access rights are distributed among team members and their roles, but also the selection of service providers and sub-processors. Our main processor aws is built on the principles of Security by Design and offers a variety of services that we have implemented to ensure data security. These and other security measures are documented in detail in our Technical and organisational measures documents, which are also part of our AV contract as a contractor.
Data commission processing
Download Seatti AV contract as .pdf
We use an AV contract to maintain all the protections of current legislation.We have also ensured that we have AVs in place with all our sub-processors to ensure full vertical data protection.
The AV contract is concluded and signed individually with each client for whom we act as contractor.
Subcontractor
Below you will find a list of all our subcontractors and the agreements we have with them. In particular, due to the invalidation of the EU/US Privacy Shield, we try to process any personal data in EU territory. Also with our main infrastructure provider aws, we have exclusively chosen servers located in Frankfurt, Germany. Even after the invalidation of the Privacy Shield, the standard contractual clauses released and regulated by the EU provide a level of data protection that complies with the GDPR. These clauses are enshrined in aws' Data Processing Addendum, which can be downloaded below.
Only in exceptional cases, when the provider landscape requires it, do we use providers outside the EU and ensure that personal data is never processed in non-pseudonymised form in the process.
Documents for download