# Data processing & GDPR compliance

Infotopics operates from the Netherlands (European Union) and complies with the **General Data Protection Regulation (GDPR)**.

Data protection principles are embedded into both product design and operational processes.

***

### GDPR compliance

Infotopics ensures that:

* Personal data is processed lawfully and transparently
* Data is processed only for defined and legitimate purposes
* Data processing is limited to what is strictly necessary
* Appropriate technical and organisational safeguards are in place

***

### Roles and responsibilities

Under GDPR:

* **Customers** act as the **Data Controller**
* **Infotopics** acts as the **Data Processor**

Customers retain ownership and control of their data at all times.

***

### Data Processing Agreement (DPA)

The **Data Processing Agreement (DPA)** forms part of the contractual agreement between Infotopics and its customers.

The DPA defines:

* Scope and purpose of data processing
* Types of data processed
* Security measures applied
* Use of sub-processors
* Data breach notification procedures
* Data retention and deletion policies

The DPA applies primarily to **solutions that store or process data outside Tableau**, such as:

* WriteBackExtreme
* MailScheduler
* DashboardUsage

Extensions that operate entirely within Tableau dashboards and do not store data externally do not require persistent data processing agreements.

***

### Data retention and deletion

Upon termination of services:

* Customer-specific environments are removed
* Application data (such as audit logs or mappings) is deleted
* Only legally required contractual or financial records are retained