GDPR

Built for GDPR.

Cerberops is hosted in the EU and operates as a data processor for monitor and account data you entrust to us. Here is exactly how we comply with GDPR.

Last updated · May 2026

1. Roles & responsibilities

Under GDPR there are two roles when you use Cerberops:

You (your organization) are the data controller — you decide what to monitor and what notification endpoints to wire up.
Cerberops is the data processor — we process the data on your instructions to deliver the service.

For your account data (name, email, billing info), Cerberops acts as a joint controller alongside our payment processor.

2. Legal basis for processing

Contract (Art. 6(1)(b)) — processing necessary to deliver Cerberops to you
Legal obligation (Art. 6(1)(c)) — for tax/invoicing records (7-year retention)
Legitimate interest (Art. 6(1)(f)) — for security logs, fraud prevention, sub-processor monitoring; balanced against your interests

3. Data residency

All customer data is stored in the European Union (AWS eu-central-1, Frankfurt) and never leaves the EU in primary form. Encrypted backups are stored in the same region. We do not transfer data to the United States or other third countries except where explicit sub-processor relationships exist (Stripe and email providers, both under EU-US Data Privacy Framework with SCCs in place).

4. Data Processing Agreement

If you process personal data through Cerberops (for example, monitoring an endpoint that returns user data in a body excerpt) you need a signed DPA with us. The DPA is included by reference in our Terms — Enterprise customers can also request a counter-signed copy from duty@cerberops.io.

Our standard DPA includes:

Article 28 processor obligations
Standard Contractual Clauses (Module 2 / 3) for sub-processor transfers
Technical & organizational security measures (TOMs)
Sub-processor notification with right to object
Audit rights (annual, with 30-day notice)

5. Sub-processors

Current sub-processors (all DPA-bound):

Provider	Purpose	Region
Amazon Web Services	Infrastructure, storage, backups	eu-central-1 (DE)
Stripe	Payment processing	EU / US (SCC)
Postmark	Transactional email	EU
Sentry (self-hosted)	Error tracking (PII filtered)	eu-central-1 (DE)

You can subscribe to sub-processor change notifications at duty@cerberops.io — we give 30 days notice before adding or replacing any sub-processor and offer reasonable right to object.

6. Data subject requests (DSR)

To exercise GDPR rights (access, rectification, erasure, portability, restriction, objection):

If you're a Cerberops customer: email duty@cerberops.io with subject "DSR – [your account email]"
If you're an end-user of a Cerberops customer: contact the customer directly; we'll assist them on the technical side
For everyone: email duty@cerberops.io

Response time: 30 days maximum (Art. 12(3)). We typically respond within 7 working days.

7. Breach notification

If Cerberops experiences a personal data breach, we will:

Notify affected customers without undue delay, and in any case within 72 hours of becoming aware
Provide the nature of the breach, categories of data affected, likely consequences, and mitigation steps
Cooperate with you on supervisory authority notifications where you are the controller

8. DPO & EU representative

Data Protection Officer: duty@cerberops.io
EU representative (Art. 27): Cerberops Sentinel Services, EU

You can also lodge a complaint with your national data protection authority. A list of EU authorities is available at edpb.europa.eu.