GDPR Compliance

Our Commitment

Soqqet is fully committed to compliance with the General Data Protection Regulation (GDPR). We have designed our platform from the ground up with data protection in mind, implementing privacy by design and by default across all our services.

Roles & Responsibilities

Soqqet acts as a Data Processor. Our customers (businesses using Soqqet to send messages) are the Data Controllers. This means our customers determine the purposes and means of processing personal data, while Soqqet processes data solely on their behalf and under their instructions.

Data Processing Agreement

We provide a Data Processing Agreement (DPA) to all customers, which covers:

The scope and purpose of data processing
Technical and organizational security measures
Sub-processor management and notifications
Data breach notification procedures (within 72 hours)
Data subject rights assistance
Data deletion upon contract termination

Contact [email protected] to request a signed DPA.

Technical Measures

Measure	Implementation
Encryption in transit	TLS 1.3 on all connections
Encryption at rest	AES-256 for stored data
Data location	European servers (Cloudflare EU)
Access control	Role-based access, MFA for admin accounts
Audit logging	All data access and modifications logged
Data isolation	Multi-tenant architecture with tenant-level isolation
Backups	Encrypted daily backups with 30-day retention

Consent & Opt-out

Soqqet provides built-in tools to help our customers comply with GDPR consent requirements:

Double opt-in flows: automated consent verification for new contacts
Global blocklist: contacts who opt out are automatically excluded from future workflows and scheduled sends
Consent audit trail: timestamped records of when and how consent was obtained
One-click unsubscribe: every message can include an opt-out mechanism

Data Subject Rights

We assist our customers in responding to data subject requests, including:

Right of access — export all data associated with a contact
Right to rectification — edit contact information at any time
Right to erasure — delete individual contacts and all associated data
Right to data portability — export contacts and message history as CSV
Right to object — blocklist functionality to prevent future processing

Sub-processors

We maintain a comprehensive list of all sub-processors at soqqet.com/legal/sub-processors.

The list includes:

Sub-processor name and corporate entity
Service provided
Location of processing
Type of personal data accessed
Safeguards in place (SCCs, adequacy decisions, etc.)

We notify customers at least 30 days before adding new sub-processors.

Breach Notification

In the event of a personal data breach, Soqqet will notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notification includes the nature of the breach, categories of data affected, estimated number of records, and measures taken.

Contact Our DPO

For any GDPR-related inquiries, data subject requests, or to report a concern, contact our Data Protection Officer at [email protected].

International Data Transfers

Most Soqqet processing occurs within the European Economic Area (EEA). Where data must be transferred outside the EEA (for example, when delivering WhatsApp messages through Meta's infrastructure), we rely on:

EU Standard Contractual Clauses (SCCs)
Adequacy decisions by the European Commission
Supplementary measures including encryption and access controls

Specific transfer mechanisms for each sub-processor are documented on our Sub-processors page.

Rights of Notification Recipients

People who receive notifications through Soqqet (your customers' end users) have GDPR rights as data subjects. While the customer is the Data Controller and primary point of contact, Soqqet supports recipient rights through:

Universal opt-out keywords: STOP, UNSUBSCRIBE, CANCEL, END, QUIT parsed automatically across all channels
Cross-tenant blocklist: an opt-out is enforced for that recipient against any future workflow from the same customer
Abuse channel: [email protected] is monitored for end-recipient complaints
Recipient inquiries: requests are routed to the responsible Data Controller (our customer) within 5 business days

Soqqet is not the Data Controller and cannot directly fulfill data subject rights requests for end recipients (e.g., right of access, erasure). Such requests must be addressed to the business that sent the notification.