GDPR Compliance

Last updated: 1 April 2026

✓ GDPR Article 28 DPA available ✓ EU-hosted (Azure West Europe) ✓ ISO 27001 framework ✓ Audit trail on all actions

Our role under GDPR

Récolta acts as a data processor on behalf of our clients (data controllers) for debtor data uploaded to the platform. For our own client account data, Récolta is the data controller.

Data Processing Agreement (DPA)

A GDPR-compliant DPA is included in all Enterprise plans and available on request for Professional plans. The DPA covers: scope of processing, sub-processor list, security measures, and breach notification procedures (within 72 hours per Article 33).

Data residency

All data is stored exclusively within the European Economic Area (EEA) on Microsoft Azure infrastructure in the West Europe region (Amsterdam). No data is transferred outside the EEA without an appropriate legal mechanism.

Security measures (Article 32)

AES-256 encryption at rest; TLS 1.3 in transit.
Role-based access control with audit logging.
Multi-factor authentication available on all plans.
IP allowlisting available on Enterprise.
Penetration testing conducted annually.

Sub-processors

Microsoft Azure — EU hosting and storage
Microsoft 365 / Graph API — transactional email
Graydon Belgium — optional credit-check data (activated only with explicit client consent)

Data subject rights

Récolta provides tools within the platform to assist clients in responding to data-subject access, erasure, and portability requests. Requests can be submitted to privacy@recolta.eu.

Contact our DPO

Data Protection Officer: dpo@recolta.eu