Legal/Compliance asks: What GDPR basis and documents do you have for Empatyzer (DPA, DPIA, retention, data subject rights)?

Empatyzer provides a GDPR document pack including a DPA that clarifies roles and obligations and a description of technical and organizational security measures. Where profiling or processing of potentially sensitive data could significantly affect individuals' rights, we perform or support a DPIA and provide a summary of findings and mitigation steps. As a processor we host data on EU servers, encrypt data at rest and in transit, separate customer storage, audit logs and control administrator access. For legal basis we recommend evaluating the use case: bulk analytics and aggregated processing commonly rely on legitimate interests, while per‑person results and features tied to personal assessment usually require a contractual basis or careful consideration of consent due to the power imbalance in employer‑employee contexts. Retention follows data minimization: raw personal data is kept only for a limited period under a schedule then anonymized for aggregated reporting; account deletion removes data from operational stores and withdraws it from aggregate statistics per procedure. We do not expose raw individual results to employers, apply aggregation and minimum-count thresholds in reports to reduce re‑identification risk, and include contractual prohibitions on using the tool for formal employee evaluations and on harmful uses—though clients must implement internal use policies and escalation paths. Data subject rights are handled step by step: how to submit requests, response timelines, identity verification, and procedures for rectification, restriction, erasure and portability. In a security incident we notify the client promptly, no later than five business days, and supply logs and remediation actions; the client, as controller, decides about supervisory authority notifications. Customer data is not used to train public models; provider access is limited, audited and logged.

Available documents: DPA, DPIA template or summary, retention policy, data subject rights procedure, and a description of security and incident response measures; legal bases and implementation details are agreed with the client.