Trusted by leading companies
- GDPR Compliance in Middleware
- Our Commitment to GDPR
- Data Protection by Design and Default
- Individual Rights Under GDPR
- Data Processing and International Transfers
- Use of Cookies and Tracking Technologies
- Vendor and Sub-Processor Management
- Legal Agreements and Transparency
- Governance and Accountability
- Contacting Middleware
- Continuous Improvement
GDPR Compliance in Middleware
At Middleware, protecting personal data is more than a legal obligation — it is a fundamental part of the way we operate. We know that our customers, partners, and employees place enormous trust in us to handle information responsibly. To honor that trust, we are committed to meeting and exceeding the requirements of the General Data Protection Regulation (GDPR).
Our GDPR compliance framework combines policy, technology, governance, and culture to ensure that every aspect of data handling is secure, transparent, and accountable. By embedding privacy and security into our platform and business operations, we enable our customers to scale with confidence while respecting the rights of individuals.
Our Commitment to GDPR
Middleware complies with GDPR principles by ensuring that personal data is always:
- Lawfully, fairly, and transparently processed — we are clear about why we collect data and how it will be used.
- Collected for explicit and legitimate purposes — we do not process personal data for purposes beyond what is communicated.
- Adequate, relevant, and limited to what is necessary — we only collect the minimum data required to deliver services effectively.
- Accurate and up to date — we provide mechanisms to correct inaccuracies promptly.
- Stored securely and only as long as necessary — we respect retention periods and erase or anonymize data once it is no longer needed.
- Protected with integrity and confidentiality — through technical and organizational measures designed to prevent unauthorized access, loss, or misuse.
By living these principles every day, we create an environment where privacy and compliance are not checkboxes but core values.
Data Protection by Design and Default
From the moment a service or feature is conceived, privacy and security requirements are integrated into its design. This principle, known as “Data Protection by Design and Default”, ensures that our customers benefit from safeguards automatically, without needing to take extra steps.
Examples of these measures include:
- Encryption of personal data both in transit and at rest, ensuring that sensitive information cannot be accessed without authorization.
- Role-based access controls, so only authorized personnel with a valid business need can access personal data.
- Segmentation and isolation of environments, which helps contain data within secure boundaries.
- Audit trails and monitoring, which provide transparency into who accessed what data, when, and why.
- Minimal data collection — we do not request or store data beyond what is necessary to deliver and support our services.
- Automated data deletion policies that enforce retention limits and reduce unnecessary exposure.
Individual Rights Under GDPR
The GDPR empowers individuals with important rights over their personal data, and Middleware fully supports and enables these rights:
- Right of Access — You may request a copy of the personal data we hold about you, along with details on how it is being processed.
- Right to Rectification — If data is inaccurate or incomplete, you can request corrections.
- Right to Erasure (“Right to be Forgotten”) — You can request the deletion of personal data when it is no longer needed or where processing is unlawful.
- Right to Restrict Processing — You can ask us to pause processing of your data under certain conditions.
- Right to Data Portability — You can obtain and reuse your personal data across different services by requesting it in a structured, machine-readable format.
- Right to Object — You can object to certain processing activities, including direct marketing.
- Rights relating to Automated Decision-Making — Where applicable, you have rights regarding profiling or automated decision-making.
Middleware provides clear channels for submitting these requests and responds within GDPR-mandated timelines, ensuring transparency and accountability.
Data Processing and International Transfers
Middleware processes personal data only for well-defined business purposes, including service delivery, customer support, account management, and product improvement. We never sell customer data.
When data must be transferred outside the European Economic Area (EEA), Middleware ensures continued protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Vendor risk assessments to confirm that third parties uphold GDPR standards
- Technical safeguards such as encryption, pseudonymization, and access controls
- Continuous monitoring of legal and regulatory updates affecting international data transfers
This ensures that customer data remains safe, regardless of geography.
Use of Cookies and Tracking Technologies
To enhance user experience and improve performance, Middleware uses cookies and similar technologies as described in our Cookie Policy. These may be used for analytics, personalization, or functionality.
In line with GDPR, we:
- Provide clear notice of cookie usage
- Allow users to manage or disable non-essential cookies at any time
- Limit tracking to legitimate purposes and ensure user preferences are respected
By giving users control over cookies, we balance functionality with privacy.
Vendor and Sub-Processor Management
We rely on carefully selected vendors and sub-processors to deliver services. However, GDPR obligations remain our responsibility. To uphold these obligations, Middleware ensures:
- Due diligence and security reviews before engaging any third party
- Binding contractual agreements that include GDPR-specific clauses
- Continuous oversight of vendor practices, including audits and reassessments
- Transparency — customers can request details of our current sub-processors at any time
This approach extends our security and privacy commitments across the entire supply chain.
Legal Agreements and Transparency
We believe trust comes from clarity and accountability. That is why our data practices are openly defined in key documents:
- Master Subscription Agreement — sets out responsibilities, rights, and obligations regarding data processing.
- Privacy Policy — explains in plain language how we collect, use, and protect personal data.
- Cookie Policy. — provides transparency on cookies, trackers, and consent mechanisms.
By aligning these agreements with GDPR, we ensure that our legal commitments reflect our operational practices.
Governance and Accountability
Compliance is not a one-time exercise but an ongoing commitment. Middleware has established governance structures that include:
- Appointing dedicated privacy and security personnel to oversee GDPR compliance
- Training employees regularly on data protection principles and responsibilities
- Conducting risk assessments and Data Protection Impact Assessments (DPIAs) where required
- Maintaining records of processing activities as mandated by GDPR
- Regularly updating policies and controls in response to regulatory or technological changes
Contacting Middleware
We encourage transparency and open communication regarding our data practices. If you have questions, concerns, or wish to exercise your rights under GDPR, you can contact our Data Protection Officer:
All requests will be handled with care, urgency, and respect for your rights under GDPR.
Continuous Improvement
GDPR compliance is not static. Middleware is committed to continuous improvement, regularly reviewing and enhancing our privacy and security measures to meet evolving legal requirements, customer expectations, and industry best practices.
By doing so, we not only comply with GDPR but also reinforce the trust our customers place in us.
FAQs
Everything you want to know about the product
Any information relating to an identified or identifiable natural person (data subject), such as name, address, email address, phone number, educational background, financial details, educational details, nationality, etc.
Data Controller: Determines the purposes and means of processing personal data. Data Processor: Processes personal data on behalf of the Controller. Data Subject: Natural persons in the EEA or UK. Typically, Middleware operates as a data processor for customer controllers.
The DPO is responsible for informing employees of their compliance obligations and conducting awareness training, monitoring, and audits required under GDPR. Middleware has a dedicated DPO. For any queries related to GDPR compliance, contact our DPO at [email protected].
Yes, we have data breach procedures that enable us to respond quickly to and mitigate breaches and notify affected parties as necessary and within statutory timeframes.
We store personal data for as long as necessary to conduct business with or on behalf of data subjects, as needed for the purposes outlined in our Privacy Policy, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Please see the “GDPR Rights” section above.
The personal data we process is stored in data centers hosted by Amazon Web Services located in the US, Europe, Canada, and India.
Data transfers from the EEA and UK can be legitimized in various ways, including by execution of the Standard Contractual Clauses. We have adopted the Standard Contractual Clauses in our Data Protection Addendum (DPA).