GDPR Compliance

Revision Date : Aug 25, 2022

The EU General Data Protection Regulation (GDPR) is the most comprehensive change to EU data privacy law in decades. It took effect on the 25th May 2018. We work hard to comply with the GDPR and apply its principles as we build new services.

Does this affect me?

The GDPR regulation applies to any EU residents' data, regardless of where the processor or controller is located. This means that if you’re using Tomba from the US to reach out to other US corporations, the regulation doesn’t affect you. But if some of your customers or leads are in the EU, you should pay attention to it.

In practice, most companies need to take the GDPR into consideration.

Tomba's GDPR Commitment

The EU General Data Protection Regulation (GDPR) is now in effect, and Tomba is here to support you in meeting its requirements.

What Is GDPR?

GDPR is setting a new standard for how organizations collect, use, and protect personal information of individuals domiciled in the EEA country. With the growing concern for data safety, this law is designed to restore the confidence of the public.

GDPR Implications For Your Organization.

Whether or not your organization is based in the EEA, all business that control or process personal information of individuals domiciled in the EEA country have to do so in accordance with the GDPR requirements.

As an employer, this means that you are responsible for ensuring that the personal information of your EEA domiciled employees is processed in accordance with the GDPR requirements.

Because of this, you are also responsible for ensuring that any service providers that you use will process the personal information of your EEA domiciled employees in accordance with the GDPR requirements.

Tomba's GDPR Compliance.

Tomba's is committed to ensure its GDPR compliance.

Here are some of the following measures that Tomba has put in place:

1 Tomba's Contractual Terms Reflect GDPR Requirements.

Tomba has prepared a Data Processing Addendum that contains the GDPR contractual requirements. Where applicable, this Data Processing Addendum is incorporated into our Tomba Terms of Service for Cloud Services, available at /terms-of-service.

  • Tomba will be transparent and never use your employees' personal information other than as instructed by you,
  • Tomba will maintain appropriate technical and organizational security measures to protect your employees' personal information,
  • Tomba will assist you with requests from your employees regarding their personal information that is processed using Tomba Cloud Services in line with GDPR requirements.

2. Tomba Continues To Improve Its Security Infrastructures.

Tomba is committed to maintaining appropriate technical and organizational security measures to protect your employees' personal information that is processed using Tomba Cloud Services in line with the GDPR requirements.

Right of erasure

Because we deal with publicly available web data, information removed from a website are also removed from our database. But if a data subject wishes to speed up the removal of any in our index, we offer a way to claim email addresses. It is then possible to either update the data or entirely remove it.


We’re taking the security of the data we manage very seriously. Our architecture has been vastly upgraded prior to the GDPR enforcement: Our entire cluster is systematically behind a firewall. Double authentication is required for any connection. We’ve also subscribed to Cloudflare to provide a Web Application Firewall (WAF) and a systematic block of potential threats. Finally, we’re continuously improving our security. You can learn more about this topic on our page dedicated to this subject: .


We store and process all our data exclusively in the EU. We even store our off-site backups within the EU.

Log files

Tomba follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services' analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users' movement on the website, and gathering demographic information.

Data portability

The GDPR gives the right to any user to download any data that he provides to a service. This allows for easier migration to other services. We think this is a great idea and tomba has always made it possible for user to download their data.

Children's Information

Another part of our priority is adding protection for children while using the internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity. Tomba does not knowingly collect any Personal Identifiable Information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records.


  • How long do you store customer data for? We store customers’ data only for the time of using our services or until they request to delete their data.
  • Where is your customer data physically stored? Data of our EU customers are stored in our European datacenters located in Germany, and are hosted by Digital ocean, Inc.
  • Which of your teams will have access to customer personal information? We access customer’s personal information only based on prior request by the customer or with the customer’s approval. In most common cases, it is the customer support team, development team or marketing team.
  • How does your organization handle instances when customers request their data to be removed from your system(s)? When a customer requests deletion of their data, we proceed with the deletion immediately, with no further delay.
  • What are the Categories of Data? Name, Email, Phone number, Address, IP Address, Timestamps of actions, Browser Cookies, Additional data collected by customers.


We invite you to look at our Privacy Policy as it contains a precise description of how we process data. Should you have any other questions, we’re here to help.