GDPR & UK GDPR Summary
Last updated: Feb 6 2026. This summary explains how Obscura supports GDPR and UK GDPR requirements for business customers. It is informational only and not legal advice.
1. Roles
For customer content, Obscura Document Redaction acts as a data processor and the customer acts as the data controller. The Data Processing Addendum (DPA) governs this relationship.
2. Data we process
- Documents, images, and text submitted for redaction.
- Metadata such as document names, timestamps, and workspace identifiers.
- Account data (user email, billing identifiers, and workspace settings).
- Audit logs and security events (server-side only).
3. International transfers
Data is stored and processed in the United States (Manassas, Virginia). If you access the service from the EU/UK, your data will be transferred to the United States.
Standard Contractual Clauses (SCCs) are available upon request.
4. Data subject rights
Customers are responsible for responding to data subject requests. Obscura will provide reasonable assistance to help fulfill access, deletion, or export requests where feasible.
5. Security measures
- Encryption in transit (TLS) and at rest for uploaded documents.
- Least-privilege access controls for production systems.
- Monitoring and logging for availability and security events.
6. Sub-processors
- Netcup GmbH (hosting only; Manassas, VA data center).
- Amazon AWS SES (email delivery).
- Backblaze E2 (backup storage; US East).
- Stripe (payments; name and address for verification).
A current sub-processor list is available upon request.
7. Contact
GDPR/UK GDPR questions: support@useobscura.com.