Our commitment
Samarkand OÜ is a European company built on the principle that data sovereignty is not a compliance burden — it is a foundation of trust. We are subject to the General Data Protection Regulation (EU 2016/679) as a company established in Estonia, a member state of the European Union.
This document describes how we implement GDPR across our group and the practical protections in place for individuals whose data we process.
1. Legal basis
1.1 We are an EU data controller
Samarkand OÜ is registered in Estonia. All of our core platforms operate within EU jurisdiction. We are not a US company with a European subsidiary. We do not have a dual-structure that places key processing decisions outside EU oversight.
1.2 Data processing register
We maintain an internal register of processing activities as required by GDPR Article 30. This covers all personal data processing operations across the Samarkand group, including:
- The categories of data processed
- The purposes and legal bases for each activity
- Data retention periods
- Processors and transfers
2. Data residency
This applies to:
- User account data
- Product usage data
- Customer communication records
- Payment-related data (processed by EU-based payment processors)
- API data for developer.waretto.com subscribers
We do not use US-based cloud infrastructure for personal data storage. We do not rely on Privacy Shield (which was invalidated by Schrems II) or similar frameworks that have been subject to legal challenge.
Where any third-party processor is based outside the EEA, we apply Standard Contractual Clauses and conduct transfer impact assessments before any data flows.
3. Data minimisation
We collect only the personal data we need for specified, explicit purposes. We review our data collection practices periodically and remove fields or processing operations that are no longer necessary.
Examples:
- Our contact form does not ask for your phone number unless you initiate a sales process
- Our analytics configuration anonymises IP addresses before storage
- API logs store identifiers, not personal data in message payloads
4. Processors and data processing agreements
All third-party service providers who process personal data on our behalf are bound by data processing agreements (DPAs) under GDPR Article 28. These agreements:
- Specify the scope and nature of processing
- Require the processor to implement appropriate security measures
- Prohibit the processor from subprocessing without our written authorisation
- Require the processor to assist with data subject rights requests
- Require notification of personal data breaches within 24 hours
On request, enterprise customers may enter into a DPA with Samarkand OÜ for the processing we perform on their behalf.
5. Security measures
We implement technical and organisational measures proportionate to the risk of our processing activities:
Technical measures
- Encryption in transit: TLS 1.2 minimum, TLS 1.3 where supported
- Encryption at rest: AES-256 for stored data
- Access controls: Role-based access, principle of least privilege, MFA required for all internal systems
- Vulnerability management: Regular penetration testing and patching policy
- Network segmentation: Production data isolated from development and test environments
- Backup and recovery: Daily encrypted backups stored in EEA, tested quarterly
Organisational measures
- Access to personal data restricted to staff who need it for their role
- Internal data protection training for all staff with access to personal data
- Documented incident response procedures
- Data protection impact assessments (DPIAs) for high-risk processing activities
6. Breach notification
In the event of a personal data breach, Samarkand OÜ will:
- Assess the breach within 24 hours of discovery
- Notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) within 72 hours where the breach is likely to result in risk to individuals, as required by GDPR Article 33
- Notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Article 34)
- Document all breaches in our internal breach register, regardless of notification obligation
7. Data subject rights
We respect and facilitate all rights granted under GDPR Chapter III:
| Right | How to exercise | Response time |
|---|---|---|
| Access (Art. 15) | Email privacy@samarkandindustries.com | 30 days |
| Rectification (Art. 16) | Email or account settings | 30 days |
| Erasure (Art. 17) | Email privacy@samarkandindustries.com | 30 days |
| Restriction (Art. 18) | Email privacy@samarkandindustries.com | 30 days |
| Portability (Art. 20) | Email privacy@samarkandindustries.com | 30 days |
| Object (Art. 21) | Email privacy@samarkandindustries.com | 30 days |
| Withdraw consent (Art. 7) | Cookie manager or email | Immediate |
We do not charge for data subject requests. We may request identity verification before fulfilling a request. We will provide a reasoned response if we are unable to fulfil a request and explain the right to complain to a supervisory authority.
8. Children’s data
Our services are not directed at children under the age of 16 (the age of digital consent under Estonian law). We do not knowingly collect personal data from children. If we become aware that we have inadvertently done so, we will delete the data promptly.
9. Automated decision-making
We do not make decisions about individuals based solely on automated processing that produce legal or similarly significant effects (GDPR Article 22). Where we use AI-assisted tools in our products, human review is maintained for any consequential outputs.
10. Supervisory authority
Our lead supervisory authority is:
Andmekaitse Inspektsioon (Data Protection Inspectorate)
Tatari 39, 10134 Tallinn, Estonia
aki@aki.ee
www.aki.ee
Data subjects in other EU member states may also contact their national supervisory authority.
11. Contact
For all GDPR-related queries, data subject requests, and DPA requests:
Samarkand OÜ — Data Protection
privacy@samarkandindustries.com
[Address], Tallinn, Estonia