ProdSys is built for European SMBs by a European company. GDPR compliance is not an add-on — it is foundational to how we operate.
When you use ProdSys, your company is the data controller — you decide what personal data is collected and how it is used.
ProdSys is the data processor — we process that data on your behalf, only as instructed by you, and only for the purpose of providing the service.
For data we process about you directly as a website visitor or prospect (e.g. when you book a demo), ProdSys is the controller. That processing is described in our Privacy Policy.
All ProdSys customer data is stored on servers physically located in the European Union. We use established European cloud infrastructure providers with SOC 2 and ISO 27001 certifications.
Every ProdSys customer receives a Data Processing Agreement that meets the requirements of GDPR Article 28. The DPA covers:
Request a copy of our DPA from post@prodsys.com.
As a data subject, you have the following rights regarding personal data we process about you:
If ProdSys is the processor for your data (i.e. you are an end-user of a ProdSys customer), please direct rights requests to that customer first — they control the data. If you cannot reach them, contact us at post@prodsys.com and we will help route the request appropriately.
We rely on established European service providers to deliver ProdSys. These sub-processors are bound by data processing agreements that mirror our obligations to you:
| Sub-processor | Purpose | Location |
|---|---|---|
| European cloud provider | Hosting and storage | EU 🇪🇺 |
| Email service provider | Transactional email delivery | EU 🇪🇺 |
| Backup service | Encrypted off-site backups | EU 🇪🇺 |
| Customer support platform | Support ticketing | EU 🇪🇺 |
Specific provider names are listed in our Data Processing Agreement. Customers are notified in advance of any material change to sub-processors and have the right to object.
In the event of a personal data breach affecting your data, ProdSys will notify you without undue delay and in any case within 72 hours of becoming aware, in line with GDPR Article 33.
Our notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address it.
During the contract: Customers retain full control over their data and can delete records at any time through the ProdSys interface or via API.
At end of contract: Customers can export all their data in machine-readable formats. After a 30-day grace period (during which the customer can change their mind), all customer data is permanently deleted from our active systems.
Backups: Encrypted backups are retained for 90 days for disaster recovery purposes, after which they are cryptographically erased.
For any GDPR-related question — rights requests, DPA requests, security questionnaires, or general privacy inquiries — get in touch:
You also have the right to lodge a complaint with your local data protection authority. In Norway this is Datatilsynet. In other EU member states, see the EDPB list of national authorities.
Our team is happy to walk through our security and compliance posture before you commit.