GDPR Compliance

Our comprehensive approach to European data protection and privacy rights

100%

EU Data Centers

Full

Compliance

Yes

DPA Available

Yes

Data Portability

Our Commitment to GDPR

Skyline DevHub is fully committed to compliance with the European Union's General Data Protection Regulation (GDPR). As a European-headquartered company with operations in Estonia, we recognize the importance of protecting the personal data and privacy rights of all EU citizens.

We have implemented comprehensive policies, technical measures, and organizational controls to ensure that all personal data is processed lawfully, transparently, and securely. Our GDPR compliance framework governs every aspect of data handling across all our services, including TrustGuard AI.

Legal Basis for Data Processing

We process personal data only when we have a valid legal basis under GDPR Article 6. Our processing activities are based on:

Contractual Necessity (Article 6(1)(b))

Processing necessary to perform a contract with you or to take steps at your request before entering into a contract. This includes account creation, service delivery, payment processing, and customer support.

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests or those of a third party, provided your rights do not override these interests. This includes fraud prevention, network security, improving our services, and direct marketing (with opt-out options).

Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations, such as tax reporting, responding to lawful requests from authorities, and maintaining records required by law.

Consent (Article 6(1)(a))

Processing based on your freely given, specific, informed, and unambiguous consent. This applies to marketing communications, cookies, and optional data collection. You can withdraw consent at any time.

Your Rights Under GDPR

GDPR grants you comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights:

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data along with specific information about the processing.

How to exercise: Submit a request to privacy@skylinedevhub.com. We will respond within 30 days with a comprehensive data export.

Right to Rectification (Article 16)

You have the right to correct inaccurate personal data and to complete incomplete personal data.

How to exercise: Update your account settings directly or contact us to make corrections. Changes take effect immediately.

Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes collected
  • You withdraw consent and there is no other legal basis
  • You object to processing and there are no overriding grounds
  • The data was unlawfully processed
  • Legal obligation requires deletion

How to exercise: Submit a deletion request via your account settings or email. We process deletions within 30 days, subject to legal retention requirements.

Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data in certain circumstances, such as when you contest accuracy or object to processing.

How to exercise: Contact our Data Protection Officer. We will mark restricted data and only process it with your consent or for specific legal reasons.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

How to exercise: Request a data export via your dashboard or email. We provide data in JSON format within 30 days.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

How to exercise: Opt out of marketing emails via unsubscribe links. For other objections, contact privacy@skylinedevhub.com.

Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise: Manage consent preferences in your account settings or contact us directly.

Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, place of work, or place of alleged infringement.

Estonia: Estonian Data Protection Inspectorate (www.aki.ee)
EU-wide: Find your local authority at edpb.europa.eu

GDPR Data Protection Principles

Our data processing adheres to the six core principles outlined in GDPR Article 5:

1

Lawfulness, Fairness & Transparency

We process data lawfully with valid legal basis, fairly without deception, and transparently by clearly communicating our practices through this policy and privacy notices.

2

Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

3

Data Minimization

We collect only personal data that is adequate, relevant, and limited to what is necessary for the purposes of processing.

4

Accuracy

We maintain accurate and up-to-date personal data, and take reasonable steps to ensure inaccurate data is erased or rectified without delay.

5

Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, after which it is securely deleted or anonymized.

6

Integrity & Confidentiality (Security)

We implement appropriate technical and organizational measures to ensure security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

Data Processing & Security Measures

Technical Measures

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Pseudonymization and anonymization where appropriate
  • Access controls and role-based permissions
  • Multi-factor authentication for all accounts
  • Automated vulnerability scanning and patching
  • Secure development lifecycle practices
  • Regular penetration testing and security audits

Organizational Measures

  • Appointed Data Protection Officer (DPO)
  • Staff training on GDPR and data protection
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Documented policies and procedures
  • Vendor due diligence and Data Processing Agreements
  • Incident response and breach notification procedures
  • Regular compliance audits and reviews
  • Privacy by Design and Privacy by Default principles

International Data Transfers

As a global company, we may transfer personal data outside the European Economic Area (EEA). We ensure all international transfers comply with GDPR Chapter V:

EU Data Residency

For EU customers, primary data storage is within EU data centers (Estonia, Germany) to ensure data sovereignty and minimize transfer risks.

Transfer Safeguards

When transfers outside the EEA are necessary, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs): EU Commission-approved clauses with all processors and sub-processors
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Binding Corporate Rules: For intra-group transfers (where applicable)
  • Supplementary Measures: Additional technical measures beyond SCCs (encryption, access controls)

Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) as required by Schrems II guidance to evaluate risks of transfers to third countries and implement additional safeguards where necessary.

Data Processing Agreement (DPA)

For enterprise clients who act as Data Controllers and use our services to process personal data, we provide a comprehensive Data Processing Agreement (DPA) compliant with GDPR Article 28.

DPA Coverage

Our DPA covers processing obligations, security measures, sub-processor arrangements, data subject rights assistance, breach notification, audit rights, and data return/deletion upon termination.

Sub-Processors

We maintain a list of authorized sub-processors and provide notice before engaging new sub-processors, giving you the opportunity to object. All sub-processors sign GDPR-compliant agreements.

Request a DPA

Enterprise clients can request our standard DPA by contacting legal@skylinedevhub.com. We typically execute DPAs within 5 business days.

Data Breach Notification

In compliance with GDPR Articles 33 and 34, we have established procedures for detecting, investigating, and notifying data breaches:

Detection & Response

24/7 security monitoring with automated anomaly detection. Incidents are immediately escalated to our incident response team. Mean time to detection (MTTD) is under 15 minutes.

Supervisory Authority Notification

We notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of a breach likely to result in a risk to individuals' rights and freedoms, as required by Article 33.

Individual Notification

If a breach is likely to result in a high risk to individuals' rights and freedoms, we will communicate the breach directly to affected individuals without undue delay, as required by Article 34.

Breach Documentation

We maintain records of all personal data breaches, including facts, effects, and remedial actions taken, in accordance with Article 33(5).

GDPR Contact Information

Data Protection Officer (DPO)

Email: dpo@skylinedevhub.com

Address: Skyline DevHub, Tallinn, Estonia

Response Time: Within 30 days of request

Privacy & Data Requests

Email: privacy@skylinedevhub.com

For exercising your GDPR rights (access, rectification, erasure, portability, etc.)

Estonian Supervisory Authority

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Website: www.aki.ee

Email: info@aki.ee