Privacy-First Infrastructure

Security & Compliance

Built for the privacy-first era. Your data stays in the EU, processed under European law, with enterprise-grade security at every layer.

GDPR CompliantEU Data ResidencyISO 27001 FrameworkSOC 2 Type II (Enterprise)
Data Sovereignty

Your Data, Your Jurisdiction

Data sovereignty is not a feature toggle — it is an architectural decision. Every GetCAPI container is deployed exclusively in EU regions, ensuring your tracking data never leaves European jurisdiction.

  • EU-only container deployment

    All containers run in Frankfurt (eu-west3) and Netherlands (eu-west4). No exceptions.

  • EU/EEA jurisdiction

    Data processed and stored exclusively under EU/EEA data protection law.

  • No non-adequate transfers without SCCs

    No data transfers to countries without an adequacy decision unless Standard Contractual Clauses are in place.

  • Norwegian company, EU law

    Getia AS is incorporated in Norway and governed by Norwegian and EU data protection regulations.

Data Stays in the EU

From collection to storage to forwarding

Visitor event captured
Your domain, first-party context
Processed in EU container
Frankfurt / Netherlands regions
PII hashed, then forwarded
To Meta, Google, TikTok APIs

Transparency Note

We use Google Cloud Platform's EU regions for container hosting. While GCP is a US company, all GetCAPI data is processed and stored exclusively in EU data centers, protected by Standard Contractual Clauses (SCCs) and GCP's EU data residency commitments.

Compliance Frameworks

We build to the standards your legal and compliance teams require. Not as a checkbox exercise, but as foundational architecture.

GDPR

General Data Protection Regulation

  • Privacy by Design & by Default
  • Data Processing Addendum (DPA) available
  • Data portability & export (Art. 20)
  • Right to erasure (Art. 17)
  • Breach notification within 48 hours
  • Published subprocessors list

ISO 27001

Information Security Management

  • ISMS framework implemented
  • Risk assessment & treatment process
  • Access control policies enforced
  • Incident response procedures
  • Regular security audits
  • Continuous improvement cycle

SOC 2 Type II

Enterprise Plan

  • Available on Enterprise plan
  • Trust Services Criteria coverage
  • Annual independent audit cycle
  • Security controls verified
  • Availability commitments
  • Confidentiality safeguards

ePrivacy & Consent

Consent Mode v2 Ready

  • Google & Meta Consent Mode v2
  • CMP auto-detection (OneTrust, Cookiebot)
  • Consent state analytics & reporting
  • Cookie-less tracking options
  • Granular consent signal forwarding
  • Consent audit trail
Defense in Depth

Security at Every Layer

Enterprise-grade security is not reserved for enterprise plans. Every GetCAPI account benefits from the same security infrastructure.

PII Hashing

All personally identifiable information is automatically hashed (SHA-256) before forwarding to any ad platform. Raw PII never leaves your container.

IP Anonymization

Built-in IP address anonymization strips the last octet before processing. Fully GDPR-compliant by default, no configuration needed.

Access Control

Role-based access control (RBAC), multi-factor authentication (MFA), SSO via SAML on Business+, and complete audit logs for every action.

Encryption

TLS 1.3 for all data in transit. AES-256 encryption at rest. Encrypted database backups with geo-redundancy within EU regions.

Monitoring

24/7 infrastructure monitoring with anomaly detection. Automated alerts for unusual traffic patterns, failed auth attempts, and system health.

Incident Response

Documented IR procedures following NIST framework. 48-hour breach notification commitment. Post-mortem reports for all incidents.

Legal Resources

All the documentation your legal team needs, readily available.

Data Processing Addendum (DPA)

GDPR-compliant DPA automatically incorporated into your agreement

Privacy Policy

How we collect, use, and protect your data

Terms of Service

Service terms, SLAs, and usage policies

Subprocessors List

Complete list of third-party processors with notification of changes

security.txt

Responsible disclosure policy and security contact information

Enterprise Security Needs?

Custom DPAs, dedicated infrastructure, SOC 2 Type II reports, SSO, and a direct line to our security team. Let's talk.