GDPR Compliant by Design
Proflow is built with data protection at its core. Every deployment model — cloud or on-premise — is covered by Data Processing Agreements at every level.
Data Processing Chain
Every entity in the data processing chain operates under a signed Data Processing Agreement. No gaps, no exceptions.
Your Company
You control owner and property data. You decide what is processed and why.
Proflow
We process data on your behalf under a signed DPA. We follow your instructions and protect your data.
Infrastructure & AI Providers
Hetzner (Germany) for hosting, Anthropic, Voyage AI, Cohere, and Google for AI processing — all under DPAs. US transfers protected by Standard Contractual Clauses.
DPA coverage at every level — signed agreements between each entity ensure your data is protected throughout the entire processing chain. Full sub-processor inventory maintained per Art. 28.
How We Protect Your Data
Data Processing Agreements
Every data relationship is covered by a signed Data Processing Agreement (DPA). This applies to Proflow as your processor, to our cloud infrastructure providers, and to any AI providers used for email analysis.
On-Premise or Cloud — Both Protected
Choose on-premise deployment for maximum control, or cloud hosting with European data centers. Both options are fully GDPR compliant with DPAs in place at every level of the stack.
Encryption Everywhere
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Email content, owner information, and AI processing data are protected at every stage.
Transparent AI Processing
AI providers used for email classification and reply generation operate under strict DPAs. Your data is never used for model training. You can switch AI providers at any time or use local models for complete data isolation.
Role-Based Access Control
Fine-grained permissions ensure only authorized personnel access sensitive data. Full audit trail logs every action — who accessed what, when, and why.
Data Lifecycle & Subject Rights
Proflow implements a three-stage data lifecycle: soft delete, anonymization, and permanent deletion. Automated retention policies enforce configurable cleanup periods. Full support for all GDPR data subject rights — access, rectification, erasure, portability, and restriction.
Data Lifecycle
Proflow implements a three-stage data lifecycle to ensure data is retained only as long as needed — and permanently removed when it's not.
Soft Delete
Records are marked as deleted but preserved for recovery. Fully reversible during the retention window.
Anonymization
Personal data is permanently anonymized per Art. 17. Cascade anonymization removes linked messages, attachments, and AI embeddings.
Permanent Deletion
Anonymized records are purged from all systems. Automated daily cleanup runs at 03:00 UTC to enforce retention policies.
Sub-Processors
Full transparency on every third party that processes data on your behalf. All sub-processors operate under Data Processing Agreements.
| Provider | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Hetzner | Infrastructure hosting | Germany (EU) | N/A |
| Anthropic | Email AI processing (Claude) | USA | SCCs |
| Voyage AI | Vector embeddings | USA | SCCs |
| Cohere | Semantic reranking | USA | SCCs |
| Alternative AI processing (Gemini) | USA | SCCs |
On-premise deployment and self-hosted models (Ollama) are available as alternatives that keep all data processing in-house.
Compliance Checklist
Proflow meets all requirements for GDPR-compliant property management software.
Frequently Asked Questions
Where is my data stored?
With cloud deployment, your data is stored in European data centers (Hetzner, Germany). With on-premise deployment, data never leaves your own servers. You choose the model that fits your compliance requirements.
Does AI processing send data outside the EU?
By default, no. Proflow supports EU-hosted AI providers and local models (Ollama). If you choose a non-EU AI provider, this is covered by appropriate DPAs and Standard Contractual Clauses. You can switch providers at any time.
Can I get a copy of the DPA?
Yes. We provide our standard Data Processing Agreement to all customers before deployment. Contact us to request a copy or to discuss custom terms.
How do you handle data retention?
Proflow enforces a three-stage data lifecycle: soft delete, anonymization, and permanent deletion. Default retention periods are 90 days for soft-deleted records, 3 years for emails, and 1 year for AI conversations — all configurable. Automated cleanup runs daily to enforce these policies.
What happens if there is a data breach?
Proflow has a documented incident response procedure. We notify affected customers within 72 hours as required by GDPR, with full details of the breach scope, affected data, and remediation steps.
Is Proflow compliant with Slovak data protection law?
Yes. Proflow complies with both GDPR and the Slovak Act on Personal Data Protection (18/2018 Z.z.). Our DPAs reflect both EU and local Slovak requirements.
What is data anonymization in Proflow?
Proflow irreversibly anonymizes personal data for users, owners, and mail messages in accordance with Art. 17 (Right to Erasure). Cascade anonymization automatically removes linked attachments and AI embeddings, ensuring no personal data traces remain in the system.
What AI sub-processors does Proflow use?
Proflow integrates with Anthropic (Claude), Voyage AI (embeddings), Cohere (reranking), and Google (Gemini) — all under DPAs with Standard Contractual Clauses for US transfers. Self-hosted alternatives like Ollama are available for organizations requiring full data isolation.
How do I submit a Data Subject Access Request?
Proflow has a documented DSAR procedure covering all rights under Art. 15-22 — including access, rectification, erasure, portability, and restriction. Requests are processed within 30 days. Contact your Proflow administrator or reach out to us directly.
What GDPR documentation does Proflow maintain?
Proflow maintains a Record of Processing Activities (Art. 30), a documented DSAR procedure (Art. 15-22), a Data Processors Inventory (Art. 28), and a Breach Response procedure (Art. 33-34). All documentation is kept up to date and available upon request.
Ready to See Proflow in Action?
Book a demo and we'll walk you through our GDPR-compliant platform, deployment options, and Data Processing Agreements.