GDPR & UK GDPR statement

1. Roles & responsibilities

We are the controller for our own marketing data and the processor for client-provided data. Sub-processors are vetted, contractually bound, and listed in the DPA.

2. Security controls

• SSO + MFA enforced for all production systems.
• Quarterly access reviews and logging across cloud infrastructure.
• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Incident response playbooks tested twice per year.

3. Data subject rights

Requests can be initiated via privacy@digimastersconsult.com. We authenticate the requester, log the request, and respond within statutory timelines.

4. Sub-processor list

Core vendors include Google Cloud Platform (EU-West), Microsoft 365, HubSpot, and AWS (eu-west-1). Custom engagements may add region-specific tools with prior approval.

5. Data residency

Primary systems are hosted in the United Kingdom with disaster recovery in the EU. GCC data mirrors stay in-region when legally required.