Our Commitment
Soqqet is fully committed to compliance with the General Data Protection Regulation (GDPR). We have designed our platform from the ground up with data protection in mind, implementing privacy by design and by default across all our services.
Roles & Responsibilities
Soqqet acts as a Data Processor. Our customers (businesses using Soqqet to send messages) are the Data Controllers. This means our customers determine the purposes and means of processing personal data, while Soqqet processes data solely on their behalf and under their instructions.
Data Processing Agreement
We provide a Data Processing Agreement (DPA) to all customers, which covers:
- The scope and purpose of data processing
- Technical and organizational security measures
- Sub-processor management and notifications
- Data breach notification procedures (within 72 hours)
- Data subject rights assistance
- Data deletion upon contract termination
Contact privacy@soqqet.com to request a signed DPA.
Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 on all connections |
| Encryption at rest | AES-256 for stored data |
| Data location | European servers (Cloudflare EU) |
| Access control | Role-based access, MFA for admin accounts |
| Audit logging | All data access and modifications logged |
| Data isolation | Multi-tenant architecture with tenant-level isolation |
| Backups | Encrypted daily backups with 30-day retention |
Consent & Opt-out
Soqqet provides built-in tools to help our customers comply with GDPR consent requirements:
- Double opt-in flows: automated consent verification for new contacts
- Global blocklist: contacts who opt out are automatically excluded from future workflows and scheduled sends
- Consent audit trail: timestamped records of when and how consent was obtained
- One-click unsubscribe: every message can include an opt-out mechanism
Data Subject Rights
We assist our customers in responding to data subject requests, including:
- Right of access — export all data associated with a contact
- Right to rectification — edit contact information at any time
- Right to erasure — delete individual contacts and all associated data
- Right to data portability — export contacts and message history as CSV
- Right to object — blocklist functionality to prevent future processing
Sub-processors
We use a limited number of sub-processors to deliver our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, CDN, Workers | EU / Global |
| WhatsApp (Meta) | Message delivery | EU / US |
| Telegram | Message delivery | EU |
| SMS carriers | SMS delivery | EU |
We notify customers before adding new sub-processors and provide the option to object.
Breach Notification
In the event of a personal data breach, Soqqet will notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notification includes the nature of the breach, categories of data affected, estimated number of records, and measures taken.
Contact Our DPO
For any GDPR-related inquiries, data subject requests, or to report a concern, contact our Data Protection Officer at dpo@soqqet.com.