GDPR, UK GDPR, and Swiss FADP

Last updated: 2026-04-11 • ← All frameworks

Overview

The EU General Data Protection Regulation (Regulation 2016/679), the UK GDPR as retained in UK law, and the Swiss Federal Act on Data Protection (FADP) establish the legal framework for the processing of personal data relating to individuals in the EU, UK, and Switzerland. Gable Digital Solutions, Inc. acts as a data processor on behalf of its customers (who are the data controllers for personal data they upload or generate on the platform), and as a data controller for its own business records such as customer account information, billing, and platform audit logs.

Current status

GDPR compliant — DPA and SCCs available

Gable Digital Solutions, Inc., the Delaware corporation that operates the Backbuild platform, is GDPR compliant. A Data Processing Agreement (DPA) incorporating the European Commission's Standard Contractual Clauses (SCCs) — including the UK International Data Transfer Addendum where applicable — is available to all EU, UK, and Swiss customers, and can be executed prior to or alongside the main service agreement.

Lawful bases for processing

• Contract performance (Art. 6(1)(b)): processing necessary to deliver the service the customer has subscribed to.
• Legitimate interest (Art. 6(1)(f)): processing necessary for service operation, security monitoring, fraud prevention, and platform integrity, balanced against the rights and freedoms of data subjects.
• Consent (Art. 6(1)(a)): where processing falls outside contractual necessity, including certain optional analytics and marketing activities, opt-in consent is collected and can be withdrawn at any time.
• Legal obligation (Art. 6(1)(c)): where required to comply with applicable law, including retention obligations and responses to valid legal process.

Data subject rights

Backbuild supports the full set of data subject rights defined in Articles 15–22 of the GDPR:

• Access (Art. 15): confirmation of processing and a copy of personal data held.
• Rectification (Art. 16): correction of inaccurate or incomplete personal data.
• Erasure (Art. 17): deletion of personal data where one of the grounds applies, including withdrawal of consent and completion of the purpose.
• Restriction (Art. 18): temporary limitation on processing under defined circumstances.
• Portability (Art. 20): export of personal data in a structured, commonly used, machine-readable format.
• Objection (Art. 21): objection to processing based on legitimate interest.

Data subjects whose personal data is processed by a customer should contact that customer directly. Data subjects who interact with Backbuild directly (for example, visitors to our own websites) can exercise their rights by emailing privacy@backbuild.ai. We respond to verified requests within 30 days, with an extension of up to two further months for complex requests as permitted by Art. 12(3).

International transfers

Backbuild data is processed across Cloudflare's global network to deliver low-latency and resilient service. Transfers of personal data from the EEA, UK, and Switzerland to third countries are covered by the European Commission's Standard Contractual Clauses (2021/914), the UK IDTA, and the Swiss addendum as applicable. Data localization options restricting processing to EU-only regions are available on request for customers with specific regulatory or contractual requirements.

Sub-processors, DPIAs, and breach notification

• Sub-processors: the current list of authorized sub-processors is published at /privacy/sub-processors. Customers are notified of material changes in accordance with the DPA.
• Data Protection Impact Assessments: DPIAs have been completed for processing activities identified as high risk. Summaries are available to customers under NDA as part of their own DPIA work.
• Breach notification: Backbuild will notify affected controllers without undue delay, and in any event in time to enable controllers to meet their Art. 33 obligation to notify supervisory authorities within 72 hours.