GDPR compliance.
Nitrosend complies with the EU General Data Protection Regulation (GDPR). This page covers both sides of that: how we meet our obligations as your data processor, and how the platform helps you meet yours as a data controller.
Our role: data processor
When you upload contacts to Nitrosend, you are the data controller and we are the data processor. We process your contact data solely on your documented instructions, to deliver your emails and provide analytics. We never sell your contact data or use it for our own purposes, and we never share it with third parties to train their AI models. Human access is limited to least-privilege support and security operations.
How we meet GDPR processor obligations
- Data Processing Agreement. We provide and sign a DPA covering Article 28 processor terms, our subprocessor list, and breach notification. Request one at [email protected].
- International transfers. Data is hosted on AWS in the United States. EU transfers are covered by Standard Contractual Clauses, with encryption in transit and at rest as supplementary measures.
- Data subject rights. We support access, rectification, erasure, restriction, portability, and objection. Requests relating to your contacts flow through you as controller; we provide the tooling to action them.
- Breach notification. If a breach affects your data, we notify you without undue delay so you can meet your 72-hour obligation to your supervisory authority.
- Retention and deletion. Close your account and we delete personal data within 90 days (export available within 30 days of closure). Delete a contact and it's gone from active systems immediately.
- Security measures. TLS in transit, encryption at rest, least-privilege access, audit logging. Full detail on the security page.
- Consent-aware website. Even our own marketing site runs Google Consent Mode v2 with analytics and ad storage denied by default for EU, UK, and Swiss visitors.
How Nitrosend helps you stay compliant
GDPR compliance for email marketing mostly comes down to consent, transparency, and honouring requests quickly. The platform handles the mechanics:
- Consent records. Subscription status, source, and timestamps are stored per contact, so you can evidence consent.
- One-click unsubscribe. Every marketing email includes a working unsubscribe link, enforced platform-wide. Unsubscribes are honoured instantly and automatically suppressed from future sends.
- Right to access and portability. Retrieve any contact and their stored fields programmatically via the API. Full structured exports are available on request.
- Right to erasure. Permanently delete a contact via the API. Deletion is immediate and cascades to their engagement events, flow state, and list memberships.
- Tracking controls. Open and click tracking can be disabled per account if your privacy posture requires it.
Frequently asked questions
Do I need a DPA with Nitrosend?
If you're subject to GDPR and upload personal data of EU residents, yes: Article 28 requires a written agreement with your processors. Email [email protected] and we'll sign one.
Is my data stored in the EU?
No, data is hosted on AWS in the United States under Standard Contractual Clauses. EU data residency isn't available today; if it's a hard requirement for you, tell us, as customer demand sets our infrastructure roadmap.
Is Nitrosend SOC 2 certified?
In progress. See the SOC 2 page for the honest status.
Contact
GDPR questions, DPA requests, or vendor reviews: [email protected]. The full legal detail lives in our privacy policy.