GDPR statement
Updated: 12 June 2026
Holistics is built to help you meet your obligations under the EU and UK General Data Protection Regulation (GDPR). This page explains the role we play when we process data on your behalf, where that data is hosted, and the contractual and technical safeguards we provide. If you need anything further for a security or vendor review, contact us.
Our role under the GDPR
The GDPR splits responsibility between the controller (who decides why and how personal data is processed) and the processor (who processes it on the controller's instructions). Holistics plays both roles, depending on the data:
- For the data you connect to Holistics (your Customer Database), you are the controller — or a processor acting for your own customers — and Holistics acts as your processor. We handle that data only on your documented instructions, as set out in our Data Processing Agreement.
- For the account and usage data we collect to run the service (such as the details of the users you invite), Holistics is the controller. How we collect, use, and share that data, and how individuals can exercise their data-subject rights, is described in our Privacy Policy.
GDPR compliance is therefore shared: you remain responsible for the lawful basis and content of the data you connect, and we are responsible for processing it securely and only as instructed.
Where your data is hosted
You choose the region your workspace runs in when you sign up, and that determines where Holistics stores your metadata and temporary cached query results:
- EU — Frankfurt, Germany
- Asia-Pacific — Singapore
- United States — San Francisco
Customers with EU data-residency requirements can keep their workspace in the Frankfurt (EU) region. See Data Centers for the full details, including hosting providers and regional endpoints.
Data processing agreement
You can read the Data Processing Agreement (DPA) in full. The DPA sets out our obligations as a processor of the data you connect to Holistics, and it incorporates the annexes below as part of the agreement.
International data transfers
When we transfer European personal data to a country that doesn't have an adequacy decision, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission and the UK. These are attached to the DPA as annexes, and the one that applies depends on your role:
- Annex 4A: EU SCC Module 2 (Controller to Processor), when you are the controller of the data.
- Annex 4B: EU SCC Module 3 (Processor to Processor), when you are a processor acting on behalf of your own customers.
- Annex 5: UK SCC (Controller to Processor), for transfers subject to the UK GDPR.
Security measures
The technical and organisational measures we maintain to protect your data (as required by Article 32 of the GDPR) are set out in Annex 2: Security Measures. For the scope of what we process and why, see Annex 1: Subject Matter and Details of Data Processing.