Data Processing & GDPR Compliance

Data Privacy & our DPA

Prepr processes personal data strictly under our customers’ instructions and in full alignment with the GDPR. This page summarizes how we operate as a data Processor and outlines the key protections defined in our Data Processing Agreement (DPA).

How Prepr protects your data as a GDPR Processor

As a data Processor, Prepr handles personal data exclusively on the documented instructions of our customers, who act as Controllers. Every processing activity we perform is designed to meet the highest standards of EU data protection. This includes strict GDPR compliance, robust security measures, transparent use of sub-processors, and full support for data subject rights.

This page provides an overview of how Prepr processes and protects customer data under the GDPR and under the terms of our Data Processing Agreement (DPA v2.2).

1. Roles under GDPR

Customer = Controller

The Controller determines the purpose and means of the processing and is responsible for:

  • establishing the lawful basis,
  • deciding which personal data is collected,
  • defining data retention periods,
  • handling communication with data subjects.

Prepr = Processor

Prepr processes personal data only on the Controller’s documented instructions and never for its own purposes. Prepr does not determine:

  • how long customer data is retained,
  • what personal data is collected,
  • how personal data is used or shared.

2. What data Prepr processes

Processed data

  • IP address
  • Pages requested
  • Referrer
  • Browser type
  • Request date and time

This is the basic data set up to use personalization features in Prepr. All processed data is defined by the Controller during implementation.

Optionally processed data

  • Name
  • Email address
  • Account creation date
  • Last activity timestamps
  • Events & tags

All optional fields are defined by the Controller during implementation.

3. GDPR responsibilities

Controller responsibilities

Controllers must:

  • Identify the lawful basis for processing
  • Define the purposes and means of processing
  • Handle data subject requests (DSARs)
  • Maintain their own GDPR compliance measures

Prepr responsibilities as Processor

Prepr:

  • Processes data only on documented instructions
  • Implements appropriate technical and organizational measures
  • Ensures confidentiality for all staff
  • Assists Controllers with GDPR obligations
  • Provides transparency and supports audits

4. Technical and organizational measures

Prepr maintains strong security measures aligned with ISO standards.

Infrastructure & hosting

  • ISO 27001:2015, ISO 9001:2015, ISAE 3402 Type II
  • Redundant, multi-datacenter hosting within the Netherlands
  • Auto-scalable Kubernetes architecture

Data protection

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest
  • Nightly backups
  • Disaster recovery capabilities

Application security

  • API key management
  • Intrusion detection and threat monitoring
  • Protections against SQLi, XSS, DDoS

Access control

  • RBAC
  • Two-factor authentication
  • SSO integrations (Azure, Google, SAML)
  • Confidentiality obligations for all employees

For more details, see our Security page.

5. Sub-processors

Prepr engages trusted sub-processors to deliver certain components of our service (e.g., infrastructure, CDN, monitoring).

All sub-processors:

  • are bound by the same or stricter GDPR obligations,
  • are continuously assessed for security and compliance,
  • may only be used after notifying customers where required.

A full list of sub-processors is available on our website.

6. Data location & international transfers

All customer data is stored and processed within the European Union.

Prepr does not process or transfer personal data outside the EU without explicit written approval from the Controller.

7. Data retention & deletion

Default retention in Prepr CMS

Prepr automatically deletes inactive customer profiles after 90 days of inactivity unless refreshed by a SignUp event.

End-of-contract

Upon termination, Controllers may choose to:

  • have their data returned, or
  • have all data securely deleted.

Prepr deletes remaining copies in accordance with legal requirements.

8. Data subject rights (DSAR) support

Prepr helps Controllers fulfil GDPR requests.

Supported rights

  • Right of access → export customer data in JSON
  • Right to erasure → delete customer profiles instantly
  • Right to rectification → update via UI or API
  • Right to restriction/objection → manage via configuration

Any DSAR addressed directly to Prepr is forwarded to the Controller.

Prepr also provides support for DPIAs where required.

9. Personal data breach notification

Prepr will notify the Controller without undue delay, with a target of 48 hours after discovering a breach.

The Controller is responsible for contacting:

  • supervisory authorities, and
  • affected data subjects,when required under the GDPR.

10. Confidentiality

All Prepr employees are subject to strict confidentiality obligations.

Only staff who require access for operational purposes can access personal data, and all access is logged and monitored.

11. Audits & transparency

Prepr provides Controllers with:

  • access to the information needed to verify GDPR compliance,
  • the ability to request audits under the terms of the DPA,
  • transparency around security controls and processing activities.

Audit procedures follow the DPA terms.

12. Material changes & notifications

Prepr notifies customers in advance of significant changes to:

  • sub-processors,
  • data center locations,
  • key security measures,
  • service architecture.

13. Data Processing Agreement (DPA)

The current version of the Prepr Data Processing Agreement (v2.2, November 2025) is available for download.

14. Contact

For any questions about privacy or the DPA: