GDPR Compliance
TIDALBAY is fully compliant with the General Data Protection Regulation (GDPR). This document outlines how TIDALBAY supports your organization's GDPR obligations when processing employee security data.
TIDALBAY's Role
| Role | Entity | Responsibility |
|---|---|---|
| Data Controller | Your organization | Determines purposes and means of processing employee data |
| Data Processor | TIDALBAY | Processes employee data on behalf of your organization |
Data Processing Agreement
TIDALBAY provides a Data Processing Agreement (DPA) that covers:
- Nature and purpose of processing
- Types of personal data processed
- Categories of data subjects
- Sub-processor list and notification obligations
- Data transfer mechanisms (for non-EU processing)
- Technical and organizational security measures
- Data breach notification commitments
DPA Availability
A signed DPA is included with all TIDALBAY subscriptions for EU customers. Contact your account manager to request a copy.
Lawful Basis
Employee security scoring typically relies on the following lawful bases under GDPR:
- Legitimate interest (Art. 6(1)(f)): Protecting the organization and its employees from security threats
- Legal obligation (Art. 6(1)(c)): Meeting regulatory requirements for security awareness (NIS2, DORA, etc.)
- Contract (Art. 6(1)(b)): Processing necessary for employment relationship
Legal Advice
Determining the appropriate lawful basis is the responsibility of the data controller (your organization). We recommend consulting with your legal team or DPO.
Data Subject Rights
TIDALBAY provides features to support GDPR data subject rights:
| Right | TIDALBAY Support |
|---|---|
| Right to access (Art. 15) | Employee Portal shows all personal data; admin can export |
| Right to rectification (Art. 16) | Admin can correct employee records; employees can dispute events |
| Right to erasure (Art. 17) | Admin can delete employee records and all associated data |
| Right to restriction (Art. 18) | Admin can freeze scoring for individual employees |
| Right to portability (Art. 20) | Employee data export in JSON and CSV formats |
| Right to object (Art. 21) | Admin can exclude employees from scoring |
| Automated decision-making (Art. 22) | Score transparency; human approval for restrictive actions |
Data Transfers
For EU customers, TIDALBAY ensures data stays within the EU:
- EU data residency: Data stored and processed in AWS eu-west-1 (Ireland)
- Standard Contractual Clauses: Applied to any transfers outside the EEA
- Sub-processor compliance: All sub-processors maintain adequate safeguards
Breach Notification
In the event of a personal data breach:
- TIDALBAY notifies affected customers within 72 hours
- Notification includes nature of breach, affected data, and remediation steps
- TIDALBAY supports your notification obligations to supervisory authorities
Data Protection Impact Assessment
Employee security scoring may require a DPIA under Art. 35. TIDALBAY provides a DPIA template that covers the TIDALBAY-specific processing activities. Contact your account manager to request it.