Indispensabile pentru funcționarea site-ului (autentificare, preferințe, securitate). Mereu active.
LEGAL · DATA PROTECTION
Data Processing& GDPR
TABLE OF CONTENTS
Procurement-facing GDPR summary
This page is the operational overview we expect privacy, security, procurement, and legal teams to read first. It complements the Privacy Policy and any executed DPA; it does not replace either of them.
Purpose of This Page
This page summarises Altovar's public GDPR and data-processing posture for procurement, legal, security, and privacy review. It is designed to answer the recurring questions raised during vendor onboarding, due diligence, and security assessments.
It complements — and does not replace — the Privacy Policy, Cookie Policy, Terms of Service, and any executed Data Processing Agreement (DPA).
It complements — and does not replace — the Privacy Policy, Cookie Policy, Terms of Service, and any executed Data Processing Agreement (DPA).
Controller / Processor Role Allocation
Altovar as controller: For personal data collected through our website, sales motions, account administration, invoicing, support correspondence, and marketing preferences, Altovar acts as an independent data controller.
Altovar as processor: Where a customer uses Altovar services to store, analyse, transmit, or otherwise process personal data on that customer's behalf, Altovar acts as processor and the customer remains controller unless a different allocation is defined in the contract or service architecture.
Role allocation is further specified in the applicable Order Form, service documentation, and DPA.
Altovar as processor: Where a customer uses Altovar services to store, analyse, transmit, or otherwise process personal data on that customer's behalf, Altovar acts as processor and the customer remains controller unless a different allocation is defined in the contract or service architecture.
Role allocation is further specified in the applicable Order Form, service documentation, and DPA.
EU Data Residency & Hosting Position
Altovar is established in Europe and designs its infrastructure strategy to preserve EU jurisdictional control, low transfer risk, and operational transparency.
Our standard service posture is EU-hosted. Primary application workloads, databases, backups, and operational systems are selected to keep production data inside the EEA wherever the product architecture allows. Where edge-delivery or support tooling introduces a third-country touchpoint, Altovar applies documented safeguards and limits access to the minimum necessary scope.
Our standard service posture is EU-hosted. Primary application workloads, databases, backups, and operational systems are selected to keep production data inside the EEA wherever the product architecture allows. Where edge-delivery or support tooling introduces a third-country touchpoint, Altovar applies documented safeguards and limits access to the minimum necessary scope.
Data Processing Agreement Availability
Altovar provides a Data Processing Agreement for processor scenarios. For Business and Enterprise arrangements, DPA language may be embedded in the Order Form or master services agreement. For other customers, a standard DPA is available on request.
The DPA covers processing instructions, confidentiality, subprocessors, security measures, breach notification, assistance with data-subject rights, deletion / return of data, and audit cooperation within commercially reasonable boundaries.
Requests for a DPA or contract addendum can be sent to [email protected].
The DPA covers processing instructions, confidentiality, subprocessors, security measures, breach notification, assistance with data-subject rights, deletion / return of data, and audit cooperation within commercially reasonable boundaries.
Requests for a DPA or contract addendum can be sent to [email protected].
Subprocessor Governance
Altovar uses a controlled vendor review process for infrastructure, payments, communications, and supporting security services. Each processor or subprocessor is evaluated for technical fit, jurisdictional implications, security controls, contractual coverage, and incident-response maturity before production use.
Subprocessors are bound by written contracts that reflect GDPR Article 28 requirements where applicable. Altovar maintains an internal register of subprocessors and provides notice of material changes through the contractual mechanisms defined in the DPA or customer agreement.
Subprocessors are bound by written contracts that reflect GDPR Article 28 requirements where applicable. Altovar maintains an internal register of subprocessors and provides notice of material changes through the contractual mechanisms defined in the DPA or customer agreement.
Technical & Organisational Measures
Altovar applies layered technical and organisational measures appropriate to the sensitivity of the workload and the service tier involved. These measures typically include access control, least-privilege administration, MFA on internal systems, encrypted transport, encrypted storage where relevant, audit logging, vulnerability management, backup controls, and environment segregation.
Our measures are reviewed as products evolve. Where a customer requires a TOMs summary for procurement or audit purposes, Altovar can provide a current overview under NDA or as part of the DPA / security review workflow.
Our measures are reviewed as products evolve. Where a customer requires a TOMs summary for procurement or audit purposes, Altovar can provide a current overview under NDA or as part of the DPA / security review workflow.
Data Subject Rights & Customer Assistance
When Altovar acts as controller, we respond directly to access, rectification, deletion, objection, portability, and restriction requests in line with our Privacy Policy.
When Altovar acts as processor, we assist the customer — within the capabilities of the service and the contractual framework — so the customer can meet its own obligations toward data subjects. This may include export support, deletion workflows, access logging, or operational coordination through support and privacy channels.
When Altovar acts as processor, we assist the customer — within the capabilities of the service and the contractual framework — so the customer can meet its own obligations toward data subjects. This may include export support, deletion workflows, access logging, or operational coordination through support and privacy channels.
Incident Handling & Breach Notification
Altovar operates incident-management procedures for security, availability, confidentiality, and integrity events affecting customer or corporate data.
Where Altovar acts as processor and becomes aware of a personal-data breach affecting customer data, we notify the customer without undue delay so the customer can assess any supervisory-authority or data-subject notification obligations. Where Altovar acts as controller, we assess and handle notification duties directly in accordance with GDPR and applicable national law.
Where Altovar acts as processor and becomes aware of a personal-data breach affecting customer data, we notify the customer without undue delay so the customer can assess any supervisory-authority or data-subject notification obligations. Where Altovar acts as controller, we assess and handle notification duties directly in accordance with GDPR and applicable national law.
International Transfers & Safeguards
Altovar does not position third-country transfers as a default operating model. If a specific service dependency, support flow, or edge-delivery function creates a transfer scenario, Altovar relies on an identified legal transfer mechanism and proportionate supplementary measures before production use.
Depending on the vendor and processing context, these safeguards may include adequacy decisions, Standard Contractual Clauses, access minimisation, encryption, and transfer-impact assessment work.
Depending on the vendor and processing context, these safeguards may include adequacy decisions, Standard Contractual Clauses, access minimisation, encryption, and transfer-impact assessment work.