Records of Processing Activities (Article 30(2) GDPR)
Public summary of DanubeData's Records of Processing Activities maintained as a data processor under Article 30(2) of the GDPR.
1. Purpose and Status
This document is the public summary of the Records of Processing Activities (RoPA) that DanubeData maintains as a data processor under Article 30(2) of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It is also referenced by Section 4.10 (Records / Deletion or return of personal data) of the CISPE Code of Conduct.
This summary is sufficient to demonstrate to a supervisory authority that DanubeData maintains the records required by Article 30(2). The full RoPA, including individual customer (controller) details, is maintained internally and is made available to a competent supervisory authority on request, in accordance with Article 30(4) GDPR.
DanubeData is a processor for the personal data that customers (controllers) choose to store, transmit, or process using DanubeData services. DanubeData also acts as a controller for a separate set of processing activities relating to its own customer relationship (account management, billing, marketing); those activities are described in the Privacy Policy and are out of scope of this document.
2. Identity of the Processor
| Legal entity | IFAS Consult SRL (trading as DanubeData) |
| Tax identification | CUI RO46614360 |
| Trade register | J30/870/2022 |
| Registered office | Satu Mare, Satu Mare County, Romania |
| Data Protection Officer | dpo@danubedata.ro |
| EU representative (GDPR Art. 27) | Not applicable — the processor is established in the European Union (Romania) |
3. Categories of Controllers
DanubeData processes personal data on behalf of the following categories of controllers:
- Companies and sole traders established in the European Economic Area
- Companies and sole traders established outside the EEA who use DanubeData services to process EEA personal data
- Public-sector bodies and not-for-profit organisations
- Individual developers and freelancers using DanubeData services in a professional capacity
For each individual controller, the contact details (legal name, registered office, billing contact, technical contact) are recorded in the customer account management system. These per-controller details are part of the full internal RoPA.
4. Categories of Processing Activities
The processing activities carried out by DanubeData on behalf of controllers, by service category, are summarised in the following table. Detailed per-service descriptions are available in the Service Catalog.
| Service | Categories of processing | Categories of personal data (controller-determined) |
|---|---|---|
| VPS Instances | Storage, transmission, virtualised compute execution, snapshot, backup | Whatever the controller stores in the VM (opaque to processor) |
| Managed Databases (MySQL, PostgreSQL, MariaDB) | Storage, transmission, query execution, replication, backup, restore | Whatever the controller stores in the database |
| Cache Instances (Redis, Valkey, Dragonfly) | In-memory storage, transmission, replication | Whatever the controller stores in the cache (typically session/transient data) |
| Object Storage (S3-compatible) | Storage, transmission, lifecycle management, versioning, replication | Whatever the controller uploads to buckets |
| Serverless Containers (Rapids) | Container build, image storage, autoscaled execution, request routing | Whatever the controller's container code processes |
| Static Sites | Source build, asset hosting, CDN-style delivery, TLS termination | Visitor IP and request metadata in access logs (where the controller has a privacy notice) |
| Managed Applications | Pre-configured deployment, lifecycle management, in-place upgrades, snapshot | Whatever the controller stores in the application |
| Storage Share (Nextcloud) | File storage, file sharing, collaborative editing, calendaring, contacts | Files, contacts, calendar entries uploaded by the controller |
| Queue Instances (RabbitMQ) | Message queueing and brokering (AMQP, MQTT, STOMP) | Whatever the controller publishes to queues |
| Volumes & Snapshots | Block storage attachment, point-in-time snapshot, restore | Whatever the controller writes to the volume |
DanubeData does not access, mine, profile, or otherwise process Customer Data for its own purposes. The processor's processing is strictly limited to what is necessary to provide and maintain the contracted services, as documented in the Data Processing Agreement (DPA) and the Service Catalog.
5. Categories of Recipients (Sub-Processors)
DanubeData uses the sub-processors listed at /sub-processors to deliver the services. The sub-processor list includes, for each entity, the purpose of the processing, categories of personal data, location, and applicable transfer mechanism. Customers are entitled to receive 30 days' advance notice of any change to the sub-processor list and may object as described on that page.
6. Transfers to Third Countries
All customer-data processing infrastructure (compute, storage, databases, caches, queues) is operated by DanubeData inside the European Union, in Hetzner data centres located in Falkenstein and Nuremberg, Germany. No customer payload data is routed outside the EEA by DanubeData.
A small number of supporting services involve transfer to non-EEA recipients. For each such recipient, an EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914) agreement is in place, supplemented by technical measures (encryption in transit and, where applicable, at rest):
- Stripe, Inc. — payment processing (United States); SCCs in place.
- Google LLC — OAuth sign-in (opt-in by user) and consent-based analytics (United States); SCCs in place.
- GitHub, Inc. — OAuth sign-in (opt-in by user) (United States); SCCs in place.
- Bugsnag (SmartBear Software Inc.) — application error monitoring (United States); SCCs in place. Customer Data is not transmitted in error reports; only error metadata.
Customers may operate entirely within the EEA by declining the optional OAuth providers and by using the platform's email-based authentication.
7. Retention Periods
Customer Data is retained for as long as the customer instructs the processor to retain it. Specifically:
- Active services — data is retained as long as the service is active.
- Snapshots and backups — retained according to the customer's configured retention policy (default: 30 days for automated snapshots; configurable per service).
- On service termination — Customer Data is deleted within 30 days of service termination (or returned in a portable format on request before deletion), as set out in DPA Section 11. Backup copies overwritten by retention rotation are unrecoverable thereafter.
- Audit logs — customer-facing audit logs are retained for 90 days; system-level logs (Loki) for 30 days.
8. Technical and Organisational Security Measures
A high-level summary is provided below. Full details are documented in the CISPE Annex A mapping, the Security Program, and the Information Security Program.
- Encryption — AES-256 at rest; TLS 1.2 / 1.3 in transit; HashiCorp Vault for key management.
- Network — Cilium-enforced default-deny policies; per-tenant Kubernetes namespaces; per-instance firewalls; DDoS protection at network edge.
- Access — mandatory 2FA for staff; SSH CA with session recording; just-in-time elevation; least-privilege RBAC.
- Logging — immutable per-team audit log; centralised platform logs; staff actions on customer resources are logged with actor, action, IP, request ID.
- Resilience — 3-2-1 backup; per-service RTO/RPO targets; annual DR drill; quarterly restore verification.
- Vulnerability — continuous CVE scanning; severity-based patch SLAs (critical 24h, high 7d); annual external penetration test.
- Incident response — documented policy; customer notification within 24 hours of confirmation; named DPO contact.
9. Maintenance and Disclosure
This RoPA summary is reviewed annually and updated whenever a material change occurs to the categories of processing, sub-processors, transfer mechanisms, retention periods, or security measures. The "Last updated" date at the top of this page reflects the most recent revision.
The full internal RoPA, including per-controller records, will be made available to a competent supervisory authority upon request in accordance with Article 30(4) GDPR. Controllers may also receive an extract relating to their own processing on request via dpo@danubedata.ro.
Questions about this policy?
If you have any questions or concerns, please contact our legal team.
Contact Us