GDPR Compliance

CloudKarafka and GDPR


The General Data Protection Regulation (GDPR) is an EU regulation on data security and privacy related to personal data. GDPR applies to all organizations operating within the EU as well as to non-EU organizations with customers in the EU). The definition of personal data under GDPR is defined as “any information relating to an identified or identifiable person”. The purpose of GDPR is to coordinate the data protection laws across all EU member countries to strengthen the integrity of individual data.

Data Controller vs Data Processor

GDPR applies to both Data Controllers and Data Processors. The Data Controller is the party that determines the purpose and the manner in which personal data is processed. The Data Processor is a third-party that processes personal data on behalf of the Data Controller. This means that CloudKarafka is defined as both a Data Controller and a Data Processor.

CloudKarafka is a Data Controller as we store personal data such as email addresses, billing addresses, etc. As a cloud hosting company providing a service (SaaS) and handling data, our main responsibility is as a Data Processor.

CloudKarafka as a Data Controller

CloudKarafka follows GDPR’s rules for proper storage of personal data, and we honor the rights of individuals such as the right to be informed, the right of access, the right of rectification, and the right to be forgotten. Our ambition is to constantly work with integrity, honesty, transparency, and responsibility towards our customers. We have a simple Privacy Policy where we state how information in our care is handled.

CloudKarafka as a Data Processor

Customers of CloudKarafka can be assured that they comply with the GDPR as well. We don’t physically host any of the servers involved in the cloud hosting service. Instead, we use data centers provided by external cloud platforms (e.g. Amazon Web Services, Azure, and Google Cloud Platform). Customers are in full control as to where their data is hosted by choosing the region for the data center.

CloudKarafka is fully compliant with GDPR and has executed Data Processing Agreements (DPAs) with our subcontractors (including cloud infrastructure providers) and other suppliers when applicable.

We also provide a DPA for GDPR which allows customers affected by the GDPR to continue to lawfully transfer EU personal data when using CloudKarafka. The DPA is available in the customer console under the “Agreements”-section.

Customers from other providers (Heroku etc.) should email us to request access to our DPA.

How CloudKarafka handles your Data

CloudKarafka does not physically host any of the servers provided for our cloud hosting service. Instead, data centers provided by external cloud platforms are used, which the Data Controller chooses themselves when using the service. All data can be encrypted in transit and at rest for additional security. Further, CloudKarafka has no knowledge of what kind of data is being handled by customers using the service. Employees of CloudKarafka do not look at customer data nor do they copy data to a server other than the one chosen. All data stored in the service is stored until the customer removes the data, either manually or by policies. Backups (where applicable) are deleted after 30 days. Therefore, CloudKarafka doesn't (and will not) "manage" personal data. Meaning that if customers use our service for processing personal data - we will not know.

CloudKarafka's Commitment to GDPR Compliance and Data Privacy

We take GDPR seriously, and we’re applying GDPR standards to all our data processing, not just EU personal data. This gives our customers peace of mind that their data meets protection regulatory frameworks around the world when using CloudKarafka.

We have taken several measures to comply with GDPR, which are as follows.

Policies and Processes

Our internal policies and processes are compliant with the latest GDPR regulations. This includes everything from our Information Security Program, the Business Continuity Plan, how we train our staff in security, and how we train staff to handle personal data. We have also made an inventory of what personal data we handle internally, as well as a data flow mapping of personal data.

Data Processing Agreement (DPA)

For all our customers who collect personal data from individuals in the EU, we offer a DPA. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is available for all our customers in their control panel under the section “Agreements”. This is also where customers can find the Technical and Organizational Measures (TOMS) we have taken for GDPR compliance.

View the Data Processing Agreement.

Data Protection Officer (DPO)

A DPO is a person at an organization who is responsible for reviewing and reporting internal procedures regarding the handling of personal data. According to article 37 under the GDPR, a DPO must be appointed if:

  • The organization is a public authority (except for courts acting in their judicial capacity);
  • The core activities require large-scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
  • The core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.

Although 84codes doesn’t apply to any of these criteria, our dedication to the integrity of our customers is such that we have decided to appoint a DPO even though we’re not legally obligated to do so. Our DPO is Anna Burman, who has been working with the GDPR implementation at 84codes. Anna can be reached at


A certain amount of confidence is needed when relying on third-party vendors to manage and handle online data securely. We understand that even small gaps in security coverage can put everything at risk including data, customer information, uptime, and potentially a company’s reputation. Therefore, we want to ensure our customers that security is something we prioritize above anything else.

A well-built environment starts with high coding standards that guard against attempted security breaches. Our system components undergo tests and source code reviews to assess the security level before being added to our code in production. We use SSL/TLS to secure data in transit. SSL certificates are updated on a regular basis or, in the event of a security advisory, from external security centers. Data can be encrypted for additional security of data at rest and IP allowlisting is also an option.

If you want to know more about how we’re dealing with customer data, please read our Security Policy.

Breach Management

We have updated our Information Security Program in regard to the GDPR regulations and specified the escalation process and requirements for notification in case of a breach.

Third Party Selection

External suppliers or subcontractors are required to apply the same security standards as we have in place at a minimum. We also make sure that they are GDPR compliant and establish a DPA with them when applicable.

Data Centers

When using CloudKarafka customers choose between seven data centers as the location that hosts their data. Below are links to what each particular data center has in place with regard to GDPR:

Further Information

If you have any questions in regards to GDPR and your use of CloudKarafka, or other legal or security-related questions, feel free to email


What is the GDPR?

The General Data Protection Regulation (GDPR) is a European privacy law that was enforced on May 25, 2018. The GDPR will apply as a single data protection law throughout the EU.

The law governs the way that businesses collect, use, and share personal data about individuals of the EU. Among other things, it requires firms to process an individual’s personal data fairly and lawfully and allowing individuals to exercise legal rights in respect of their data. For example, to access, correct or delete their personal data. The law also ensures that appropriate security protections are put in place to protect the personal data that are being processed.

Who does the GDPR apply to?

The GDPR applies to all entities and individuals based in the EU, as well as entities and individuals, whether or not based in the EU, that process the personal data of EU individuals.

The GDPR defines personal data as any information relating to an identified or identifiable natural person. This includes data that is obviously personal, such as an individual’s name or contact details, as well as data that can be used to identify an individual indirectly (such as an individual’s IP address).

Does the GDPR apply to an individual developer?

Yes, if the individual developers are processing personal data of EU individuals.

Thus, individual developers (e.g. using or service as a private person) processing personal data of EU individuals when using our products and services must accept our DPA.

Do you provide a Data Processing Agreement (DPA)?

Yes. Our DPA offers terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers and their data. The DPA is available for all our customers in their control panel under the section “Agreements”.

Are customers required to sign the DPA?

Yes, if the customer is using CloudKarafka to process personal data belonging to individuals of the EU, a DPA has to be in place between CloudKarafka and the customer according to Article 28(3) in the GDPR.

Can a customer share the DPA with its customers?

Yes. Customers who wish to share the DPA with their customers to confirm our security measures are allowed to do so.

Do customers need to notify anyone upon accepting our DPA?

No. It is not required to notify any third party or us upon accepting our DPA.

What is our role under GDPR?

CloudKarafka is both a Data Controller and a Data Processor. We are a Data Controller in the sense that we are storing (customer related) personal data such as email addresses, billing addresses, etc. But as a cloud hosting company providing a service (SaaS) where customer data resides, our main responsibility is as a Data Processor.

What have we done to comply with GDPR?

We have conducted an analysis of our operations to ensure we comply with the new requirements of the GDPR. We have, with the help of external advisors, reviewed our services, Term of Service, Privacy Policy, and arrangements with third parties for compliance with the GDPR.

What personal data do we collect and store from our customers?

In our role as Data Controller, we may collect and store contact information when customers sign up for our services or seek support help. The information we store includes data such as our customers’ email addresses and physical addresses for billing purposes. We may also collect other identifying information from our customers, such as IP address, Paypal ID, SSH public keys or Oauth tokens for external services.

Separately, we act as a Data Processor when customers use our service to process personal data belonging to individuals in the EU. Our customers decide what personal data (if any) that is sent via our services.

Do you have a DPO?

Yes. Her name is Anna Burman, and she can be reached at

Please note that this page is for informational purposes only, and should not be considered legal advice.