Trust

This page gives you a transparent, complete view of how Polser protects the data you and your customers entrust to us - from our security controls to our subprocessors and data transfer mechanisms.

Privacy & Compliance

Polser is built to meet the requirements of EU GDPR and UK GDPR. We act as a data processor on behalf of our customers, who remain the data controllers for the personal data processed through our platform. We only process data as instructed.

EU GDPR

Our platform and processes are designed to comply with Regulation (EU) 2016/679, including Article 28 processor obligations, data minimisation, and breach notification.

UK GDPR & DPA 2018

We comply with UK GDPR as defined in the UK Data Protection Act 2018, and are able to enter into UK-specific data processing agreements including the ICO UK IDTA.

Data Processing Agreement

We provide a standard DPA to all customers. It covers processor obligations, subprocessors, security, breach notification, and data transfers. Available on request — see below.

Breach Notification

In the event of a confirmed Personal Data Breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware, in line with Article 33 GDPR.

Security Measures

We implement technical and organisational measures (TOMs) to protect Personal Data against unauthorised access, loss, or disclosure. Below is a summary of our primary controls.

Infrastructure

Hosted on Amazon Web Services (AWS) in the eu-west-1 (Ireland) region, within ISO 27001-certified data centres. Network segmentation, firewalls, and intrusion detection are in place.

Encryption

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent. Backups are encrypted.

Access Control

Role-based access controls (RBAC) and multi-factor authentication (MFA) are required for all staff accessing production systems. Principle of least privilege is enforced. Access is revoked immediately upon termination.

Availability & Resilience

Redundant architecture with automated failover. Regular backups with tested restore procedures. Documented business continuity and disaster recovery plans.

Vulnerability Management

Regular vulnerability scanning and penetration testing. Patch management programme in place. We operate a responsible disclosure policy for security researchers.

Personnel & Training

All staff with access to Personal Data are subject to confidentiality obligations and receive security awareness training. Background checks are conducted upon employment.

We are happy to provide additional information about our security practices on request, including completing security questionnaires. Contact us at legal@polser.io

International Data Transfers

Polser is a US-incorporated company and may transfer personal data from the EU and UK to the United States. We ensure all such transfers are covered by a recognised legal mechanism.

EU–US Data Privacy Framework (Primary)

Polser, Inc. is a certified participant in the EU–US Data Privacy Framework and the UK Extension to the EU–US Data Privacy Framework, administered by the U.S. Department of Commerce. Our certification covers the transfer of personal data from the EU/EEA and UK to the United States. You can verify our current certification status at dataprivacyframework.gov/list.

Standard Contractual Clauses / UK IDTA (Fallback)

Where required by your DPO or where the DPF does not cover a specific transfer, we are able to execute the EU Standard Contractual Clauses (Module 2: Controller to Processor) and/or the ICO UK International Data Transfer Addendum. Please contact us at legal@polser.io to request execution.

Subprocessors

Polser engages a limited number of trusted third-party subprocessors to deliver the platform. All subprocessors are subject to data processing agreements with substantially equivalent security obligations. We provide at least 30 days' notice before engaging a new subprocessor or replacing an existing one.

Amazon Web Services (AWS EMEA SARL)
Location: Luxembourg / Ireland (eu-west-1)
Purpose: Cloud infrastructure and hosting. Stores and processes all Polser platform data including customer contacts, conversation data, files, backups, and logs.
Transfer mechanism: Standard Contractual Clauses (incorporated in AWS Service Terms)

Meta Platforms Ireland Limited
Location: Ireland
Purpose: WhatsApp Business API gateway. Processes phone numbers, WhatsApp IDs, message content and media, and delivery metadata to transmit and receive messages through the platform.
Transfer mechanism: EU–US Data Privacy Framework / Standard Contractual Clauses

OpenAI Ireland Limited
Location: Ireland
Purpose: AI-assisted features. Processes message text and knowledge base content to power Instant Answers and AI-assisted drafting. Engaged only when AI features are enabled by the customer.
Transfer mechanism: Standard Contractual Clauses (OpenAI Business DPA)

ElevenLabs, Inc.
Location: United States
Purpose: Text-to-voice conversion. Processes text content submitted through the platform to generate synthetic voice messages. Engaged only when voice note features are enabled by the customer.
Transfer mechanism: EU–US Data Privacy Framework / Standard Contractual Clauses

DeepL SE
Location: Germany (EU)
Purpose: Message translation. Processes message text to translate conversations between languages when the translation feature is enabled by the customer.
Transfer mechanism: No transfer applicable — processing within the EU/EEA

Mixpanel, Inc.
Location: United States
Purpose: Product analytics. Processes pseudonymous user and tenant identifiers and usage event data for service analytics and product improvement. No message content is processed.
Transfer mechanism: Standard Contractual Clauses (Mixpanel DPA)

PostHog, Inc.
Location: United States (EU Cloud — Frankfurt)
Purpose: Product analytics and session insights. Processes pseudonymous user identifiers and usage events to support product improvement. Deployed on EU Cloud infrastructure.
Transfer mechanism: EU hosting (Frankfurt) / Standard Contractual Clauses as fallback

Okta, Inc. (Auth0)
Location: United States
Purpose: Authentication and identity management. Processes account identifiers, email addresses, and authentication tokens to verify user identity and manage secure login to the platform.
Transfer mechanism: Standard Contractual Clauses (Okta Data Processing Addendum)

650 Industries, Inc. (Expo)
Location: United States
Purpose: Mobile app infrastructure. Processes customer name and short message preview solely to route push notifications to the Polser mobile app on iOS and Android devices.
Transfer mechanism: EU–US Data Privacy Framework / UK Extension

Google Ireland Limited (Firebase Cloud Messaging)
Location: Ireland
Purpose: Android push notification delivery. Processes customer name and short message preview to deliver notifications to Android devices.
Transfer mechanism: Standard Contractual Clauses (Firebase Service-Specific Terms)

Apple Inc. (Apple Push Notification service)
Location: United States
Purpose: iOS push notification delivery. Processes customer name and short message preview to deliver notifications to iPhone and iPad devices.
Transfer mechanism: Apple Developer Program data processing terms / Apple EU Data Transfer Agreement

Data Processing Agreement

Our standard DPA is available on request and can be countersigned promptly. We are also able to review and sign customer-provided DPAs for enterprise and public sector customers.

Please contact us at legal@polser.io to request our standard DPA or send us yours to review.

Have questions about data privacy or security?

Our team is happy to answer questions from your DPO, procurement team, or legal counsel. We typically respond within one business day at legal@polser.io.