GDPR Compliance

1. Our Role in Data Processing

1.1 As a Data Controller

Sambandh acts as a data controller for the personal data of our customers (account holders). This includes account information such as your name, email address, billing information, and usage data. We determine the purposes and means of processing this data to provide and improve our Service.

1.2 As a Data Processor

Sambandh acts as a data processor for the CRM data our customers store in the Service. This includes contacts, deals, notes, emails, and any other data you import or create within Sambandh. You, as the customer, are the data controller for this data and determine how it is used.

2. Legal Bases for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service as agreed in our Terms of Service.
• Legitimate Interest (Art. 6(1)(f)): Processing for fraud prevention, security, and service improvement, balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing activities, such as connecting third-party integrations.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws and regulations.

3. Your Rights as a Data Subject

Under GDPR, you have the following rights regarding your personal data. You can exercise any of these rights by contacting us at support@sambandh.io.

• Right of Access (Art. 15): You have the right to request a copy of all personal data we process about you. We will provide this information within 30 days of your request in a structured, machine-readable format.
• Right to Rectification (Art. 16): You have the right to request that we correct any inaccurate or incomplete personal data. You can also update most information directly through your account settings.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data. Upon receiving a valid erasure request, we will delete your data within 30 days, unless we are legally required to retain it.
• Right to Restrict Processing (Art. 18): You have the right to request that we limit the processing of your personal data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON) and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. Sambandh does not engage in automated decision-making.

4. Data Export and Deletion

4.1 Data Export

You can export your data at any time through the Sambandh application. We support export in the following formats:

• Contacts: CSV, JSON
• Deals and pipeline data: CSV, JSON
• Activity history: CSV, JSON
• Email correspondence: EML format
• Complete account data: JSON archive

4.2 Data Deletion

You can request complete deletion of your account and all associated data by contacting support@sambandh.io or through your account settings. Upon receiving a deletion request:

• We will confirm receipt within 48 hours.
• All personal data will be deleted within 30 days.
• Backups containing your data will be purged within 90 days.
• We will provide written confirmation once deletion is complete.

5. Data Processing Agreement (DPA)

Sambandh offers a Data Processing Agreement (DPA) to all customers. The DPA defines the obligations and responsibilities of both parties regarding the processing of personal data under GDPR. Our DPA includes:

• Description of processing activities and purposes
• Technical and organizational security measures
• Sub-processor obligations and management
• Data breach notification procedures
• Audit rights and compliance verification
• Data transfer mechanisms for international transfers

To request a signed DPA, email support@sambandh.io.

We conduct Data Protection Impact Assessments (DPIAs) for any new processing activity that may pose a high risk to data subjects, in accordance with Article 35 of the GDPR.

6. Sub-Processors

Sambandh uses the following sub-processors to provide the Service. All sub-processors are bound by data processing agreements that meet GDPR requirements:

We will notify customers via email at least 30 days before adding a new sub-processor. If you object to a new sub-processor, you may terminate your subscription.

7. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through one or more of the following mechanisms:

• EU Standard Contractual Clauses (SCCs) with all relevant sub-processors
• Adequacy decisions by the European Commission
• Binding Corporate Rules where applicable

8. Data Breach Notification

In the event of a personal data breach, Sambandh will:

• Notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Provide details of the nature of the breach, categories of data affected, approximate number of individuals affected, and measures taken to address the breach.
• Cooperate with supervisory authorities and affected individuals as required.
• Document all breaches, including those not requiring notification, in our internal breach register.

9. Data Protection Officer

For any questions or concerns regarding our GDPR compliance, data processing practices, or to exercise your data rights, please contact our Data Protection team:

• Email: support@sambandh.io
• Subject line: GDPR Inquiry

You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.