Compass and GDPR.
GDPR is not a checklist for us. It's a foundational design principle. This page explains how Compass approaches data protection — for our customers, for the data subjects whose data flows through the platform, and for the regulatory authorities that hold us accountable.
Last updated: [TO BE VALIDATED — date]. The GDPR landscape continues to evolve, including through the EU Digital Omnibus (proposed November 2025), which is amending breach notification timelines, cookie governance, and other operational requirements. This page reflects our current implementation.
Data controller, data processor, or both — depending on the context.
Under GDPR, MarketLabs S.r.l. acts in different roles depending on the data being processed:
As data controller, we process personal data of website visitors, demo requesters, contacts, and our own employees. For these processings, we determine the purposes and means. Our Privacy Policy describes this in detail.
As data processor, we process personal data submitted to Compass by our customers, on their instructions, to deliver the platform. In this role, the customer is the data controller. Our role is governed by a Data Processing Agreement (DPA) signed between the customer and MarketLabs.
Five structural practices baked into Compass.
1. EU hosting by default.
Compass production data resides in EU data centers. International transfers occur only where strictly necessary and with appropriate safeguards.
2. Pseudonymization and minimization.
We process only the personal data necessary for the purposes documented. Where pseudonymization is technically possible (e.g., analytics aggregation), it is the default.
3. Role-based access at every level.
Customer data is accessible only to authorized users within the customer's tenant. MarketLabs staff access to customer data is restricted to documented operational reasons (support, incident response) with audit logging.
4. Built-in support for data subject rights.
Compass provides tooling for customers (acting as data controllers) to respond to data subject requests: access, rectification, erasure, portability. Customer admins can perform these operations directly via the platform.
5. Audit trail with Time Machine.
Every action on personal data is logged with timestamp, actor, and context. Forensic reconstruction is possible at any historical moment.
What's in our customer Data Processing Agreement.
Every customer signs a DPA with MarketLabs as part of the Master Subscription Agreement. The DPA covers everything Article 28 of GDPR requires — and several additional commitments specific to Compass.
- Scope, duration, nature, and purpose of processing
- Categories of data subjects and personal data
- Controller and processor obligations
- Subprocessor list and management (30-day notice for changes)
- Confidentiality undertakings
- Security measures (Annex II)
- Cross-border transfer mechanisms (Standard Contractual Clauses)
- Data subject request handling
- Breach notification (96 hours)
- Data return and deletion upon contract termination
- Audit rights (customer audit and third-party audit)
- Liability and indemnification specific to data processing
Our DPA template is available for review during procurement. Contact dpo@marketlabs.io [TO BE VALIDATED] to request a copy.
Transparency on who else touches your data.
We engage a limited, vetted set of subprocessors to deliver the Compass service. Each subprocessor is bound by a written contract that imposes data protection obligations equivalent to those we accept with our customers.
| Category | Examples | Purpose | Region |
|---|---|---|---|
| Cloud infrastructure | [TO BE VALIDATED — actual providers] | Hosting and compute | EU |
| LLM and AI providers | [TO BE VALIDATED — actual providers] | AI capabilities (Deal Scoring, AI Copilot, Agents) | [TO BE VALIDATED — region and transfer mechanisms] |
| Data enrichment | Cerved [+ TO BE VALIDATED] | Financial registry enrichment | EU |
| Email and communication | [TO BE VALIDATED] | Transactional email, support | [TO BE VALIDATED] |
| Analytics | [TO BE VALIDATED] | Website analytics | [TO BE VALIDATED] |
Our full, current subprocessor list is published in our DPA Annex III and available on request. Customers receive notification at least 30 days in advance of any new subprocessor.
Our commitment to breach notification.
In the event of a personal data breach, MarketLabs commits to notify affected customers without undue delay, and in any event within 96 hours of becoming aware of the breach. This timeline aligns with the EU Digital Omnibus (2026), which extends the original GDPR 72-hour requirement to 96 hours.
Notifications include: nature of the breach, categories and approximate number of data subjects and records affected, contact point for further information, likely consequences, measures taken or proposed. We support customers in their own notifications to supervisory authorities and to affected data subjects where applicable.
Supporting the people whose data flows through Compass.
Data subjects whose personal data we process directly (website visitors, demo requesters) can exercise their GDPR rights by contacting us at privacy@marketlabs.io [TO BE VALIDATED]. See our Privacy Policy for detail.
For data subjects whose personal data is processed via Compass by our customers (acting as data controllers), requests should be addressed to the relevant customer. MarketLabs supports the customer in responding to such requests via platform tooling.
Contact our Data Protection Officer.
For privacy and GDPR matters, our DPO is your single point of contact.