Legal & Compliance

GDPR Compliance

SenAsset is fully committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains how we meet our obligations as a data processor and data controller, your rights as a data subject, and how to exercise those rights.

GDPR CompliantEU Data Residency AvailableDPA AvailableDPO Appointed

Data Controller Information

Data Controller

SenAsset, Inc.

548 Market St, Suite 12900

San Francisco, CA 94104

United States

privacy@senasset.com

Data Protection Officer

DPO — SenAsset, Inc.

Appointed in accordance with Art. 37 GDPR

dpo@senasset.com

Contact our DPO for any GDPR-related enquiries, data subject requests, or to report a potential data breach.

Our Role Under GDPR

SenAsset acts in two distinct capacities under GDPR, depending on the type of data involved:

Data Controller

For personal data of our customers — such as account holder names, email addresses, and billing information — SenAsset is the data controller. We determine the purposes and means of processing this data.

Data Processor

For personal data that our customers upload to the SenAsset platform — such as asset assignee information and user records — SenAsset acts as a data processor, processing that data on your instructions only.

Lawful Basis for Processing

Under GDPR, every processing activity must have a lawful basis. The following table outlines the legal bases we rely upon:

Lawful Basis	GDPR Article	When Applied
Contract Performance	`Art. 6(1)(b)`	Processing your account information, payment details, and Customer Data to provide the SenAsset service you have subscribed to.
Legitimate Interests	`Art. 6(1)(f)`	Improving our service, preventing fraud, sending relevant product updates, and ensuring the security of our platform.
Legal Obligation	`Art. 6(1)(c)`	Retaining financial records, responding to lawful requests from authorities, and complying with applicable laws.
Consent	`Art. 6(1)(a)`	Marketing communications, non-essential cookies, and optional analytics features where you have provided explicit consent.

Your Data Subject Rights

Under GDPR, you have the following rights with respect to your personal data. You can exercise any of these rights free of charge. We will respond to all requests within 30 days (extendable by a further 2 months for complex requests with notification).

Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data together with information about how and why we process it.

How to exercise: Submit a Data Subject Access Request (DSAR) via email or through your account settings.

Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data or completion of incomplete personal data that we hold about you without undue delay.

How to exercise: Update your information directly in your account settings, or contact our Privacy Team.

Right to Erasure (Art. 17)

Also known as the "right to be forgotten". You have the right to request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the purpose for which it was collected.

How to exercise: Submit an erasure request to privacy@senasset.com. We will respond within 30 days.

Right to Restrict Processing (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to its processing.

How to exercise: Contact our Data Protection Officer with a restriction request.

Right to Data Portability (Art. 20)

You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller.

How to exercise: Export your data from account settings, or submit a portability request to our Privacy Team.

Right to Object (Art. 21)

You have the right to object to our processing of your personal data on grounds relating to your particular situation, particularly where we rely on legitimate interests as our legal basis for processing.

How to exercise: Contact privacy@senasset.com to submit an objection.

Rights re: Automated Decision Making (Art. 22)

You have the right not to be subject to decisions made solely based on automated processing, including profiling, which produce legal or similarly significant effects. SenAsset does not currently use such automated decision-making.

How to exercise: Contact our DPO if you believe you have been subject to automated decision-making.

Right to Withdraw Consent (Art. 7)

Where we rely on your consent as the legal basis for processing your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

How to exercise: Unsubscribe from marketing emails or adjust privacy settings in your account.

EU Data Residency

Enterprise customers with EU data residency requirements can request that their Customer Data be stored and processed exclusively within the European Union (AWS eu-west-1, Dublin). This includes all asset records, user data, audit logs, and file attachments.

EU Region

AWS eu-west-1

Dublin, Ireland

Data at rest

EU-only

No cross-border transfer

Availability

Enterprise

Request via sales

For non-EU customers, data is stored in the United States (AWS us-east-1). International transfers from the EEA to the US are covered by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR.

Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) is required under Art. 28 GDPR when a data controller (you) engages a data processor (SenAsset) to process personal data on their behalf. Our DPA outlines the nature and purpose of processing, types of data processed, retention periods, and your rights as a data controller.

Request our standard DPA

Available to all paid customers. Enterprise customers with custom requirements can negotiate bespoke terms.

Request DPA

Data Breach Notification

In the event of a personal data breach, SenAsset will notify affected customers without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR. Our notification will include:

A description of the nature of the breach, including categories and approximate number of data subjects affected
The name and contact details of our Data Protection Officer
A description of the likely consequences of the breach
A description of measures taken or proposed to address the breach and mitigate its effects

To report a security incident, please contact security@senasset.com immediately.

Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes GDPR.

Lead Supervisory Authority (Ireland)

Data Protection Commission (DPC)

www.dataprotection.ie

You may also contact the supervisory authority in your country of residence.

Contact Our DPO

Our Data Protection Officer is available to answer your GDPR questions, process data subject requests, or discuss any privacy concerns you may have.

Email our DPO

dpo@senasset.com · Responses within 72 hours