Vistaly
English Español Deutsch Français 日本語 Português
Se connecter (V1)

GDPR Compliance Statement

Looking for the V1 version of this document? View V1 gdpr compliance

At Vistaly, we are committed to protecting the privacy and personal data of our users in compliance with the General Data Protection Regulation (GDPR). Our approach to GDPR compliance includes:

Data Collection and Processing

We only collect and process personal data that is necessary for the operation of our services. All data processing activities are reviewed regularly.

For more information, see our Data Processing Addendum.

User Rights

Vistaly respects and upholds the rights of individuals under GDPR, including the right to access, correct, delete, and restrict the processing of their personal data. Users can exercise these rights by contacting our Data Protection Officer at dpo@vistaly.com.

Data Security

We implement robust security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. Our security practices are aligned with industry standards, as evidenced by our SOC 2 Type 2 certification.

Data Residency

Vistaly offers a choice of data residency region — United States or European Union — during account creation. Customers who select European Union residency have their primary application data (databases, file storage, and backups) stored and processed within the EU (AWS eu-west-1). The infrastructure is fully separated between regions.

Certain platform services operate outside the chosen data residency region. Authentication services (AWS Cognito) are hosted in the United States for all customers. A minimal account directory (account identifiers and URL slugs) is replicated globally for service availability.

Cross-Border Data Transfers

Even with EU data residency, some sub-processors process data in the United States. Notably, AI-powered features within Vistaly are processed by Anthropic, which is based in the United States and is not currently certified under the EU-U.S. Data Privacy Framework.

For all transfers of personal data to sub-processors located outside the customer’s chosen region, Vistaly relies on appropriate safeguards including the EU-U.S. Data Privacy Framework (where the sub-processor is certified), Standard Contractual Clauses (SCCs), and Data Processing Agreements (DPAs). For a complete list of sub-processors and their data processing regions, see our Sub-Processors page.

Data Breach Notification

In the event of a data breach, we will notify affected customers within 72 hours of becoming aware of the breach, and will promptly notify relevant supervisory authorities as required by GDPR.

Third-Party Processors

We ensure that all third-party processors with whom we share personal data comply with GDPR requirements through Data Processing Agreements (DPAs). Our Sub-Processors page details each processor, including their data processing region and EU-U.S. Data Privacy Framework certification status, so you can see which processors may handle data outside your chosen residency region.

Continuous Improvement

We regularly review and update our policies and procedures to ensure ongoing compliance with GDPR.

For more detailed information about our data protection practices, please refer to our Privacy Policy and Cookie Policy.

If you have any questions or concerns about our GDPR compliance, please contact our Data Protection Officer at dpo@vistaly.com.