Home/GDPR Compliance

GDPR Compliance

ESG Automated is committed to GDPR compliance. This page explains how we protect the rights of EU and UK data subjects and the obligations we fulfill as a data processor.

Article 28 Compliant

Our Data Processing Agreement meets all Article 28 requirements for processor contracts.

EU SCCs in Place

International data transfers use EU Standard Contractual Clauses (Module 2).

SOC 2 Type II

Third-party audited security controls covering security, availability, and confidentiality.

72-Hour Breach Notification

We notify affected customers within 72 hours of discovering a personal data breach.

30-Day Deletion

All personal data is deleted within 30 days of account termination or written request.

Appointed DPO

We have a designated Data Protection Officer available at dpo@automatedesg.com.

Lawful basis for processing

Under GDPR Article 6, we rely on the following lawful bases for processing personal data:

  • Contract performance (Art. 6(1)(b)): Processing necessary to deliver the platform services you have subscribed to, including account management, billing, and report generation.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, platform improvement through aggregate analytics, and direct marketing to existing customers (with opt-out available).
  • Consent (Art. 6(1)(a)): Non-essential cookies and optional marketing communications.
  • Legal obligation (Art. 6(1)(c)): Compliance with tax, accounting, and regulatory requirements.

Your rights under GDPR

If you are in the EU or UK, you have the following rights under the GDPR. To exercise any right, contact privacy@automatedesg.com. We will respond within 30 days.

Art. 15
Right of Access

Request a copy of the personal data we hold about you, how we use it, and who we share it with.

Art. 16
Right to Rectification

Request correction of inaccurate personal data. You can also update most account information directly in Settings.

Art. 17
Right to Erasure

Request deletion of your personal data. We'll delete within 30 days unless we have a legal obligation to retain it.

Art. 18
Right to Restriction

Request that we restrict processing of your data in certain circumstances, such as while a dispute is pending.

Art. 20
Right to Portability

Receive your personal data in a structured, machine-readable format (JSON or CSV). Available via Settings → Export.

Art. 21
Right to Object

Object to processing based on legitimate interests, including direct marketing. Opt out of marketing in your account preferences.

You also have the right to lodge a complaint with your national supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu. UK residents may contact the ICO.

International data transfers

Our infrastructure is hosted on Amazon Web Services (us-east-1) in the United States. When data is transferred from the EEA or UK to the US, we rely on:

  • EU Standard Contractual Clauses (Module 2) — Controller to Processor, as adopted by European Commission Decision 2021/914.
  • UK International Data Transfer Agreement (IDTA) — for transfers from the United Kingdom.

A copy of our SCCs is incorporated into the Data Processing Agreement. You accept the SCCs when you agree to the DPA during account creation.

Questions about GDPR compliance?

Our Data Protection Officer can answer questions about our privacy practices, your rights, or our legal basis for processing.

Email our DPO Read the DPA

DPO: dpo@automatedesg.com · ESG Automated, Inc. · 123 Market Street, Suite 400 · San Francisco, CA 94105