Who is the Data Processor and who is the Data Controller?
Where does SafetyCulture store customer data?
Under GDPR, our customers are considered the Data Controller and SafetyCulture is considered the Data Processor. GDPR specifies requirements for Controllers in relation to the personal data they are responsible for, including the requirement that when they use Data Processors these Processors provide sufficient guarantees that they will abide by GDPR and that the rights of the data subjects are protected.
Can customers choose to store their data in the EU?
We host our customer, audit and incident data with Amazon Web Services (AWS), who are a top-tier, third party data hosting provider. We utilise AWS in different locations around the world, depending on the product.
For more information about AWS’s approach to compliance with the GDPR, see
We utilise three AWS locations in relation to iAuditor data - the US, the EU (Ireland) and Australia. By default, customers will have their data stored on AWS servers located in the US.
Whilst not required by GDPR, iAuditor Premium Annual or Enterprise Annual subscriptions with more than 20 seats have the option to store their data in Australia or the EU (costs to be quoted separately). Should you wish to speak to us about migrating your data from the US to Australia or the EU, please contact your Account Manager or [email protected].
Currently, all Spotlight data is stored in the US. We may add other data storage locations in the future.
How does SafetyCulture comply with EU data export restrictions?
If you are on an Annual Premium subscription with more than 20 seats, you will have the option to have
your data stored within the EU. While not strictly a requirement of GDPR, we have listened to our
European customers and understand there is appetite to store data in the EU.
Accordingly we have invested in a data hosting environment with AWS in Dublin. Should you wish to speak
to us about migrating your data from the US to the EU, please contact your Account Manager or
Does SafetyCulture provide fair processing notices?
In some instances, SafetyCulture hosts or processes personal data outside of the European Economic Area - this is most likely with your user details rather than any audit or incident data. GDPR requires that this data remains protected by appropriate safeguards in line with EU law. SafetyCulture achieves this by either entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).
How does SafetyCulture comply with the Data Minimisation principle?
Controllers of data must provide fair processing notices to data subjects, which set out minimum information
about how their data is processed. With regards to SafetyCulture processing the details of your end
In relation to providing fair processing notices to data subjects that you may collect
data on when conducting inspections or reporting incidents, SafetyCulture cannot feasibly provide fair processing notices
on your behalf, as we cannot distinguish personal data from any other inspection data. The obligation
in this circumstance remain with you as Data Controller.
How should I handle Subject Access Requests?
Under GDPR, any data collected must be relevant and limited to what is necessary for the purpose for
which it is being processed. If you plan to collect any personal data when conducting inspections or reporting incidents,
then we suggest that you only collect necessary information. To help you identify and minimise the
data protection risks, the ICO has provided guidance on Data Protection Impact Assessments
How does SafetyCulture respond to a data breach?
Data subjects may lodge requests with you as Data Controller, to extract all data relating to the data
subject. Should you receive such a request and require our assistance in dealing with it, please
send a detailed email to
[email protected] and we will endeavour to action the request within 30 days.
Who at SafetyCulture is primarily responsible for personal data matters?
In the unlikely event of a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data, SafetyCulture has an established
Data Breach Response Plan. To obtain a copy of this policy please contact your Account Manager or
While SafetyCulture is not required to have a Data Protection Officer under GDPR, we have a Chief Privacy Officer (CPO) who can be contacted via