General Data Protection Regulation (GDPR)

Our Commitment to GDPR

Sistava is headquartered in the Netherlands and operates under the full scope of the General Data Protection Regulation (GDPR). We process personal data lawfully, transparently, and only for the purposes our customers expect. Every feature we build starts with privacy by design. We do not collect data we do not need, we do not retain data longer than necessary, and we do not share data with third parties unless required to deliver our service.

Data Subject Rights

We fully support all data subject rights under GDPR: access, rectification, erasure, restriction of processing, data portability, and the right to object. Requests can be submitted through our support channels and are processed within the legally required timeframe. Our Data Processing Agreement (DPA) is available to all customers and covers the specific terms under which we process data on their behalf as a data processor.

Technical Safeguards

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). We enforce strict tenant isolation at every layer of our stack: database, application, cache, and file storage. Personal data never crosses tenant boundaries. We maintain detailed processing records, conduct regular privacy impact assessments, and have appointed a data protection point of contact reachable at privacy@sista.ai.

What this means for customers

• Your data is processed and stored in compliance with EU law
• Full data subject rights support (access, deletion, portability)
• Data Processing Agreement (DPA) available on request
• Encryption in transit and at rest across all systems
• Strict multi-tenant isolation prevents any data leakage