Trust center
Roles and lawful basis
The customer is the controller and is responsible for the lawful basis under article 6 GDPR (and where applicable a valid exception under article 9(2) or article 10). Localign acts as processor and follows the customer's documented instructions.
Rights of data subjects
The product supports access, export, correction, deletion, restriction and machine-readable portability per data subject. Customers can fulfil article 15-20 requests directly from the administration panel.
DPIA building blocks
Localign supplies a starting set of risks and mitigations that customers can incorporate into their own DPIA under article 35 GDPR. Standard risks covered include re-identification through aggregation, prompt leakage, retention beyond necessity and sub-processor failure.
Sectoral overlays
On top of the GDPR, sector-specific rules apply: NEN 7510 / NEN 7512 / NEN 7513 and medical confidentiality in healthcare, advocate and notary confidentiality in legal services, codes of conduct in education, BIO in government, DNB Good Practice and EBA guidelines in financial services.
Breach notification
Breaches are detected through monitoring and investigated against documented turnaround times. The final report covers reconstruction, root cause, structural mitigations and impact, supporting the article 33 notification duty.
Per-customer DPA generation
The DPA, AI Annex and Terms are rendered with your legal entity details (legal form, Chamber of Commerce number, signing representative, registered office) directly from the customer admin panel, then archived as a versioned PDF. The same documents are always available unfilled on this Trust Center, so any version reference in your contract stays reproducible.
Sub-processor change notice
Material changes to the sub-processor list are published on the Sub-processors page and actively communicated to the contact named in your DPA. Customers may object within the notice window set by the DPA; for clarity, this is the same contact channel used for any DPA-driven communication.
Retention
Conversations and uploaded documents are retained while your contract is active, plus a defined post-termination grace window. Backups, operational logs and accounting records each have their own retention. The full schedule lives on the Retention page so you can map it onto your own register of processing activities.
What you can self-serve
Article 15-20 requests are fulfillable directly from the admin panel: per-user export, correction, deletion and machine-readable portability. Account-wide export-and-delete is also available from the same screen. No support ticket needed for the common cases — and every action is logged.