EU Data Compliance

Enterprise-grade data protection, GDPR compliance, and data sovereignty for European customers. Built with privacy at its core.

GDPR Compliant
EU-US Framework
SOC 2 Type II

Last updated: February 21, 2025

1. Our Commitment to EU Data Protection

SuperSystems LLC operates SuperCheckouts with a steadfast commitment to European data protection standards. With our subsidiary office in Utrecht, Netherlands, we maintain comprehensive data sovereignty and compliance frameworks to serve European customers with the highest standards of data protection.

2. EU-U.S. Data Privacy Framework Certification

SuperCheckouts is certified under the EU-U.S. Data Privacy Framework, ensuring that all data transfers between the European Union and the United States meet stringent privacy requirements.

  • Data Residency Controls: European customer data is stored within EU-based data centers with strict controls on cross-border transfers
  • Netherlands Compliance: Our Utrecht office ensures local oversight and compliance with Dutch data protection authorities
  • Transfer Mechanisms: We employ Standard Contractual Clauses (SCCs) and other approved mechanisms for any necessary data transfers
  • Third-Party Audits: Regular independent audits verify our compliance with Framework requirements

3. GDPR Implementation

We have implemented comprehensive workflows and technical measures to ensure full compliance with the General Data Protection Regulation (GDPR):

Data Subject Rights

  • Right to Access: Automated systems enable customers to request and receive copies of their personal data within required timeframes
  • Right to Erasure: Complete data deletion workflows that propagate through all systems and backups
  • Right to Portability: Export functionality providing data in structured, machine-readable formats
  • Right to Rectification: Self-service and assisted data correction capabilities
  • Right to Restriction: Ability to limit processing of personal data while maintaining account functionality
  • Right to Object: Clear mechanisms to object to specific data processing activities

Consent Management

  • Granular consent controls for different data processing purposes
  • Clear, plain-language explanations of data usage
  • Easy withdrawal of consent at any time
  • Comprehensive audit logs of all consent actions
  • Age verification and parental consent mechanisms where applicable

Automated Retention Policies

  • Data minimization principles applied to all collection activities
  • Automated deletion of data after defined retention periods
  • Purpose-specific retention schedules aligned with legal requirements
  • Regular data audits to identify and remove unnecessary information

4. Data Processing and Security

Our data processing activities are designed with privacy and security at their core:

  • Encryption: End-to-end encryption for data in transit and at rest using industry-standard protocols
  • Pseudonymization: Where appropriate, personal data is pseudonymized to reduce privacy risks
  • Access Controls: Role-based access control (RBAC) limiting data access to authorized personnel only
  • Data Protection Impact Assessments: Regular DPIAs for high-risk processing activities
  • Privacy by Design: Privacy considerations integrated into all system development
  • Breach Notification: Procedures to notify authorities and affected individuals within 72 hours of breach discovery

5. Sub-Processor Management

We maintain rigorous oversight of all sub-processors who may access European customer data:

  • Due Diligence: Comprehensive vetting of all sub-processors before engagement
  • Contractual Safeguards: Data Processing Agreements (DPAs) with all sub-processors ensuring GDPR compliance
  • Regular Audits: Ongoing compliance audits of sub-processor security and privacy practices
  • Transparency: Public list of sub-processors available to customers
  • Notification: Advance notice to customers of any new sub-processors with objection rights

6. Security Certifications

SuperCheckouts maintains enterprise-grade security certifications:

  • SOC 2 Type II: Independent audit of security, availability, processing integrity, confidentiality, and privacy controls
  • PCI-DSS: Payment Card Industry Data Security Standard certification for secure payment processing
  • ISO 27001: Information security management system certification (in progress)
  • Penetration Testing: Regular third-party security assessments and vulnerability scanning

7. Legal Coordination and Regulatory Compliance

We work closely with legal counsel to ensure ongoing compliance with evolving regulations:

  • Dutch Authority Coordination: Regular engagement with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
  • EU Regulatory Monitoring: Continuous monitoring of EU and member state data protection developments
  • Legal Counsel: Expert data protection legal advisors in both EU and US jurisdictions
  • Data Protection Officer: Dedicated DPO available for customer and regulatory inquiries
  • Training Programs: Ongoing staff training on GDPR requirements and data protection best practices

8. Cross-Border Data Transfers

When data transfers outside the EU are necessary, we employ approved mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (BCRs) for intra-group transfers
  • Adequacy decisions for transfers to countries with adequate protection
  • Transfer Impact Assessments (TIAs) evaluating risks of each transfer
  • Supplementary measures to ensure data protection equivalent to EU standards

9. Customer Controls and Transparency

We provide customers with comprehensive controls over their data:

  • Data Residency Selection: Choose where your data is stored (EU or US regions)
  • Processing Logs: Access to logs showing how your data is processed
  • Real-Time Dashboard: Visibility into data storage locations and processing activities
  • Export Capabilities: Download all your data at any time
  • Deletion Verification: Confirmation of data deletion with audit trails

10. Data Protection Officer Contact

For any questions regarding our EU data compliance, GDPR rights, or data protection practices, please contact our Data Protection Officer:

Email: dpo@supercheckouts.com

SuperSystems LLC
Data Protection Officer

EU Office:
Newtonlaan 115
3584 BH Utrecht
The Netherlands

US Headquarters:
30 N Gould St, Ste 100
Sheridan, Wyoming 82801
United States of America
EIN: 37-2156703

11. Updates to This Policy

We regularly review and update our EU data compliance practices to reflect changes in regulations, technology, and best practices. Material changes will be communicated to affected customers with appropriate notice periods. The "Last updated" date at the top of this page indicates the most recent revision.