Back to News
Compliance December 2025

GDPR, CCPA, and Beyond: Global Data Protection Compliance

From Standard Contractual Clauses to 30-day data deletion guarantees, our approach to international data compliance.

Global supply chains mean global data. When your operations span continents, you need an AI partner that understands and complies with international data protection requirements.

Our Compliance Framework

Authentica is designed to meet the requirements of major data protection regulations worldwide. Here’s how we approach compliance:

GDPR (European Union)

For customers processing personal data of EU residents, we provide:

  • Data Processing Agreement (DPA): A comprehensive DPA that meets Article 28 requirements
  • Standard Contractual Clauses (SCCs): EU-approved SCCs for international data transfers
  • Data subject rights support: We respond to data subject requests within 10 business days
  • Record of processing activities: Maintained and available for audit

CCPA/CPRA (California)

For California consumer data:

  • We do not sell personal information
  • We do not share personal information for cross-context behavioral advertising
  • We support right to know, delete, and correct requests
  • We maintain appropriate service provider contractual commitments

UK Data Protection

For UK data transfers post-Brexit:

  • UK International Data Transfer Agreement (IDTA)
  • UK Addendum to EU SCCs where applicable

International Data Transfers

Our primary data hosting is in the United States. For transfers of personal data from regions with adequacy requirements, we rely on:

  • Standard Contractual Clauses approved by the European Commission (2021 version)
  • Supplementary measures including encryption, access controls, and contractual commitments
  • Transfer impact assessments for high-risk transfers

We provide 60 days’ notice before making material changes to data residency.

Data Deletion Guarantees

When your service ends, we don’t hold onto your data:

  • 30-day deletion window: All customer data deleted within 30 days of termination
  • Written certification: Deletion certificate provided upon request
  • Backup purging: Data in backup systems follows our standard 30-day rolling retention
  • Data return option: You can request a data export before deletion

Subprocessor Management

We maintain a list of subprocessors (third parties that process customer data on our behalf):

  • Published list: Current subprocessors are listed at authenti.ca/legal/subprocessors
  • 30-day notice: We notify customers before authorizing new subprocessors
  • Objection rights: Customers can object to new subprocessors
  • Contractual flow-down: All subprocessors are bound by equivalent data protection obligations

Breach Notification

If a security incident affects personal data:

  • 72-hour notification: We notify affected customers within 72 hours of confirmation
  • Detailed reporting: Nature of the incident, categories of data affected, likely consequences, and remediation measures
  • Regulatory cooperation: We assist with notifications to supervisory authorities as needed

Ongoing Compliance

Data protection law evolves, and so do we:

  • Regular review of policies against regulatory guidance
  • Annual DPA updates to reflect legal developments
  • Monitoring of new state privacy laws (Virginia, Colorado, Connecticut, etc.)
  • Proactive adaptation to emerging AI regulations

Working With Your Compliance Team

We’re happy to support your compliance process:

  • Pre-signed DPAs available for quick review
  • Responses to vendor security questionnaires
  • Calls with your legal/privacy teams to walk through our practices
  • Documentation for your vendor risk assessments

Contact us to discuss your specific compliance requirements.