GDPR Statement

Personal data protection at STAPE EUROPE OÜCopy link to this section

A statement for clients

This document outlines current information security and personal data protection practices at Stape Europe OÜ. The privacy and security of our clients’ data are among our priorities. 

We are implementing a comprehensive data governance system which aims at:

  • adhering to information security practices and controls appropriate to risks envisaged as a result of the processing to reduce the risk of a data breach;
  • achieving compliance with applicable data protection laws, namely the General Data Protection Regulation and the UK Data Protection Act 2018 (GDPR);
  • supporting our clients with the compliance obligations as data controllers;
  • ongoing monitoring and review of our practices and documentation.

Information securityCopy link to this section

We aim to adhere to industry best practices in the field of information security. Below is the outline of the controls in place at Stape Europe OÜ that address core requirements (GDPR Art. 5.1, Art. 28.3, Art. 32.1) with a direct impact on the security of processing:

Art. 32.1.a) Encryption 

All the communication is transferred through an encrypted channel using TLS encryption. A primary use case of TLS is encrypting the communication between web pages and servers.

Art. 32.1.b) Confidentiality, integrity and availability

Confidentiality is achieved through an access control restriction. Access to user data is provided on a “need-to-have” basis, available only to team members for whom access is required to perform their duties. Actions, such as access, rectification, or deletion, are logged in the system to provide traceability and accountability, and all team members are required to sign a Non-Disclosure Agreement (NDA).

Integrity is maintained by the use of Network firewall. Regular back-up schemes are implemented to ensure data availability.

Art. 32.1.d) Regular assessment 

Stape Europe OÜ implemented a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented.

Art. 5.1.c) and Art. 28.3.g) Data minimisation and destruction

The permanent deletion of data upon the end of data retention periods and termination of the relationships with clients.

We also take into account the local data protection frameworks applicable to the activities of our clients, such as LGPD or CCPA, and are ready to assist them in their compliance.

Data Processing AgreementCopy link to this section

As we consider ourselves to be a data processor, we always sign a Data Protection Agreement (DPA) with our clients to make sure we process the personal data following the client’s instructions and due data protection safeguards. The DPA applies automatically when the client accepts our Terms and Conditions. A sample of the DPA can be found by the link

Limited data retention periodsCopy link to this section

Clients’ data stored on our servers have limited retention periods. 

Upon termination of the relationships, we ensure that the personal data is destroyed from our systems, as well as from the systems of our subcontractors and vendors.

Vendor ManagementCopy link to this section

We pick only those third-party providers that provide sufficient guarantees of information protection. Our due diligence assesses the following items:

  • overall reputation;
  • security practices;
  • compliance with privacy laws;
  • location of data storage;
  • commitments to privacy and security certifications or standards;
  • readiness for data protection and security audits.

Ongoing improvement of our GDPR complianceCopy link to this section

We are continuously working on improving our data protection efforts.

Assisting our clients in ensuring data protection complianceCopy link to this section

To help our clients comply with data protection requirements, we are ready to assist our clients with the following technical and organisational measures:

  1. Assistance with managing personal data and handling requests from the data subjects or supervisory authorities. Where requested by the clients, we are ready to provide a copy of, rectify, or delete personal data processed on their behalf.
  2. Creation of records of processing activities performed on behalf of our clients.
  3. Assistance with Privacy Impact Assessments. As the use of innovative technologies for personal data processing may require taking a prior risk assessment, we will be glad to assist our clients with conducting Privacy Impact Assessments (PIA) or Data Protection Impact Assessments (DPIA). The conditions of assistance are to be discussed additionally and outlined in the DPA.
  4. Availability for data protection audits. Where necessary, the clients may examine our data protection practices to receive proof of our data protection measures.

Ongoing monitoring and reviewCopy link to this section

We aim that our privacy and security practices be consistent and systematic. As our organization and external environment continues to evolve, we regularly monitor and review our practices to ensure that the data is protected at all times.

Contact usCopy link to this section

If you would like to receive more information on our personal data protection practices, please contact us at

Host your GTM server at Stape