Data Protection

Last updated: January 2026

This page provides information about oklido's data protection practices and our Data Processing Agreement (DPA).

Data Protection Framework

oklido operates under the following data protection regulations:

Roles and Responsibilities

When oklido is the Controller

oklido is the data controller for:

• Account registration information
• Billing and payment information
• Usage analytics and logs
• Support communications

When oklido is the Processor

oklido is the data processor for:

• Documents you upload
• Document content and metadata
• Data processed through email integrations
• Information about your end users (beneficiaries, guests)

You remain the data controller for this information.

Data Processing Agreement (DPA)

Standard DPA

Our standard DPA covers:

• GDPR Article 28 requirements
• Processing scope and purpose
• Security obligations
• Sub-processor management
• Data subject rights assistance
• Data breach notification
• Audit rights

Requesting a DPA

To request our standard DPA:

1. Email: compliance@oklido.com
2. Include your company name and oklido account email
3. We'll send our standard DPA within 2 business days

Custom DPA Terms

Enterprise customers may negotiate custom terms. Contact sales@oklido.com.

UK International Data Transfer

Data Location

All primary oklido data is stored in the United Kingdom (AWS London, eu-west-2).

International Transfers

When data is transferred outside the UK:

• We rely on UK adequacy decisions where available
• We use UK International Data Transfer Agreements (IDTAs)
• We implement Standard Contractual Clauses (SCCs)

Subprocessors

Some subprocessors may process data outside the UK. All have appropriate transfer mechanisms in place.

View subprocessor list →

Security Measures

oklido implements appropriate technical and organisational measures:

Technical Measures

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.3)
• Access controls and authentication
• Regular security testing
• Vulnerability management

Organisational Measures

• Staff security training
• Access on need-to-know basis
• Incident response procedures
• Regular security reviews

Full security documentation →

Data Subject Rights

We assist you in responding to data subject requests:

Processing Requests

To assist with data subject requests:

1. Verify the request relates to your data
2. Use self-service tools where possible
3. Contact privacy@oklido.com for assistance
4. We respond within 5 business days

Data Breach Notification

Our Commitment

If we become aware of a personal data breach affecting your data:

1. We notify you without undue delay
2. Target notification within 72 hours
3. Include all information required by GDPR Article 33

What We Provide

• Description of the breach
• Categories and approximate number of records affected
• Contact point for more information
• Likely consequences
• Measures taken or proposed

Audit Rights

Standard Audit Rights

Our DPA includes audit rights:

• Annual audit report availability
• Right to request additional information
• Third-party audit reports on request

On-Site Audits

Enterprise customers may request on-site audits:

• Reasonable advance notice required
• Subject to confidentiality obligations
• Costs borne by requesting party
• Coordinated to minimise disruption

Contact compliance@oklido.com for audit requests.

Records of Processing

We maintain records of processing activities as required by GDPR Article 30, including:

• Categories of processing
• Purposes of processing
• Categories of recipients
• International transfers
• Retention periods
• Security measures

Data Protection Impact Assessments

We conduct DPIAs for high-risk processing activities and can assist customers with their own DPIAs upon request.

Contact

Data Protection Enquiries

• Email: privacy@oklido.com

DPA Requests

• Email: compliance@oklido.com

Supervisory Authority

Information Commissioner's Office (ICO)

• Website: ico.org.uk
• Phone: 0303 123 1113

Last updated: January 2026