GDPR-aligned data handling workflow

Initial review

The first review starts from project context or a small anonymized sample uploaded through the public form. The sample should show structure, columns, errors and import blockers, not real customer records. When complete production files are needed, we arrange a private upload flow after the processing terms have been agreed.

Before full files are exchanged

When a project requires us to process personal data on behalf of a customer, full files are uploaded only after the following are agreed:

• project scope and documented processing instructions;
• confidentiality terms;
• secure transfer method and private project workspace;
• Data Processing Agreement under GDPR Article 28;
• retention period and deletion or return procedure;
• approved subprocessors, if any.

Controller and processor roles

For most cleanup, migration and import-preparation projects, the customer determines the purposes and means of processing and acts as controller. ImportReady Data acts as processor and processes the data only on documented customer instructions.

Security commitments

Project data is handled in a private project workspace with limited access, confidentiality, defined retention, secure deletion and no secondary use. Customer data is not used for training, resale or unrelated projects. For larger or higher-risk projects, the workspace can be isolated per customer and retired after delivery.

Special category data

Projects involving health data, biometric data, genetic data, political opinions, religious beliefs, trade union membership or similar special categories require additional review before any file is accepted.

Important note

This page describes the intended operating workflow. The customer-specific Data Processing Agreement and any security annex control the actual project terms.