EU General Data Protection Regulation

GDPR-compliant communication infrastructure

Team chats contain conversations about people. Customer support messages contain contact details. Email newsletters require explicit consent. Communication platforms are high-exposure GDPR processors — we make sure your infrastructure handles this correctly.

Request a DPA View compliance overview

What is the GDPR?

The GDPR applies to almost everything communication platforms do: storing customer email addresses, logging chat messages, recording video calls, managing newsletter subscriber lists. These aren't edge cases — they're core functionality. Getting this right protects both you and your users.

In force since

25 May 2018

Scope

Any org processing EU personal data

Max fine

€20M or 4% of global turnover

Breach reporting

72 hours

Key GDPR obligations for communication platforms

Communication platforms process personal data constantly — contact details, message content, call recordings, subscriber lists. These six articles define your obligations.

Art. 5 — Principles of processing

Messages and communication logs must be retained only as long as operationally necessary. Expired retention periods, message deletion on user request, and clear policies around what is logged are all required under Art. 5. We support configurable message and log retention.

Art. 6 — Lawful basis

Customer support messages are processed under contract (Art. 6(1)(b)). Team chat is typically legitimate interest (Art. 6(1)(f)). Email marketing requires explicit consent (Art. 6(1)(a)) with a working unsubscribe mechanism. The lawful basis varies by communication type.

Art. 17 — Right to erasure

Users and customers have the right to have their messages and contact data deleted. Our managed Chatwoot, Mattermost, and Listmonk deployments support user deletion and subscriber removal — including from backups on a retention schedule.

Art. 28 — Data Processor

We act as your data processor for all communication data stored on our infrastructure. Our DPA covers Chatwoot, Mattermost, Jitsi Meet, and Listmonk — with clear sub-processor documentation.

Art. 32 — Security of processing

Communication platforms store sensitive conversations. Our deployments use encryption at rest and in transit, role-based access controls, and isolated tenant environments — protecting your communication data.

Art. 33 — Breach notification

If a breach affects personal data on our managed communication infrastructure, we notify you within 72 hours. You can then meet your own 72-hour reporting obligation to your supervisory authority.

Consent, retention, and the right to be forgotten

Communication platforms face three GDPR challenges more than most: proving consent for outbound communication, enforcing message retention limits, and handling erasure requests across distributed message stores.

Email marketing consent (Art. 7): Listmonk supports double opt-in and tracks consent records — critical for demonstrating a valid Art. 6(1)(a) lawful basis for newsletters
Message retention: configure Mattermost and Chatwoot message retention policies so the system automatically purges historical messages after your defined retention period
Video call recordings: Jitsi Meet recordings stored in object storage are subject to GDPR too — we support configurable auto-deletion of recordings after a set period