GDPR Compliance
Last Update: 02 Dec, 2025
GDPR Compliance at Desku
This page provides an overview of how Desku complies with GDPR, including; Desku.io’s role as a Data Processor, circumstances in which Desku.io acts as a Data Controller, the rights available to individuals under GDPR, and the technical and organizational measures implemented across the platform to support lawful, secure, and transparent data Processing activities.
What Is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law governing the collection, use, storage, and transfer of personal data relating to individuals located in the European Union (EU), the European Economic Area (EEA), and the United Kingdom (UK). It establishes specific obligations for organizations that process personal data and defines the rights of individuals whose data is subject to such Processing.
GDPR is particularly relevant for cloud-based services, including SaaS platforms and Customer Support Software, where personal data may appear within support tickets, communications, Customer profiles, or other operational records created or managed through the platform.
Key GDPR Definitions
“Customer”
A business entity, organization, or authorized individual who accesses or uses the Service. The person creating the account represents that they have authority to bind the Customer.
“Customer Data”
Any data submitted, transmitted, stored, or generated by Customers or their End-Users through use of the Service.
“Data Controller”
The individual or organization that determines the purposes and means of Processing personal data.
“Data Processor”
A service provider, such as Desku.io, that processes personal data on behalf of the Data Controller and in accordance with documented instructions.
“Data Subject”
Data Subject has the meaning given in applicable data protection law (including the GDPR) and refers to an identified or identifiable natural person to whom Personal Data relates.
“Processing”
Any operation performed on Personal Data, whether or not by automated means. Examples include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, transmission, dissemination, restriction, erasure, or destruction.
“Personal Data”
Any information relating to an identified or identifiable natural person, as defined under GDPR.
“Service”
The Desku.io platform and all associated tools, features, and interfaces, including HelpDesk services, Live Chat, OmniChannel messaging, AI functionality, automation tools, analytics, integrations, and administrative components.
“Subprocessor”
A third-party entity engaged by the Data Processor to support the delivery of services and who may process personal data under the same obligations applied to the Processor.
“User”
An individual or business entity that accesses or uses the Service, whether directly or through an authorized representative. This includes all agents, staff members, contractors, and administrators operating under a Customer’s account.
Desku as a Data Processor
Desku.io primarily acts as a Data Processor in relation to the personal data handled through the platform’s Customer Support functions. This includes personal data contained within messages, support tickets, contact records, automation workflows, and other information that Customers choose to store or process when using the Service.
In this capacity, Desku.io processes personal data solely on the documented instructions of the Data Controller and in accordance with applicable contractual, technical, and organizational requirements. Processing activities are limited to what is necessary to provide the platform’s functionality and to maintain the security and operational integrity of the Service.
The following sections provide clarification on the circumstances under which Desku.io acts as a Data Processor versus when it acts as a Data Controller, in order to outline how different categories of personal data are handled in accordance with GDPR.
When Desku Acts as Processor
Desku.io acts as a Data Processor with respect to personal data processed through the platform as part of Customer Support operations. This includes, but is not limited to:
In all such cases, Desku.io processes personal data exclusively on behalf of, and according to the instructions of, the Data Controller.
When Desku Acts as Controller
In all other cases, Desku.io processes personal data strictly on behalf of the Customer in its capacity as a Data Processor.
Responsibilities Under GDPR (Article 28)
When acting as a Data Processor, Desku.io performs its obligations in accordance with Article 28 of the GDPR. These responsibilities include:
Helping Customers Stay Compliant
Desku.io provides configuration options that enable Data Controllers to manage their own GDPR compliance obligations within the platform. Customers may configure:
These features assist Data Controllers in implementing their internal data protection policies and GDPR compliance frameworks.
How Desku Complies with GDPR
Desku.io implements technical and organizational measures designed to align the platform with the requirements of the General Data Protection Regulation. These measures apply across all components of the service, including the HelpDesk environment and AI-enabled support features.
The following sections provide a transparent, structured overview of the GDPR compliance framework applied within the platform.
Data Minimization
Desku.io processes only the personal data that is necessary to provide the services requested by the Data Controller. The platform does not collect or retain personal data that is unrelated, excessive, or unnecessary for the operation of its Customer Support and HelpDesk functions.
Purpose Limitation
Desku.io processes personal data only for purposes that are lawful, specified, and directly related to the operation of the platform. These purposes include:
Delivering and maintaining the services requested by the Data Controller.
Lawful Basis for Processing
Desku.io processes personal data only where a lawful basis under the GDPR applies. Depending on the nature of the Processing activity, Desku.io relies on the following lawful bases:
Storage Limitation
Desku.io applies defined data retention practices to ensure that personal data is stored only for as long as necessary to fulfil the purposes for which it was collected or to meet applicable legal, regulatory, or contractual requirements. These practices include:
Retaining personal data only for the duration required to operate and support the services provided to the Data Controller.
Applying distinct retention periods to specific categories of data where necessary or appropriate.
Security Measures
Desku.io implements layered technical and organizational measures designed to protect personal data and maintain a secure Processing environment. These measures include:
Additional details regarding platform security controls are available on our Security Page.
Hosting Location
Desku.io operates on a secure, cloud-based infrastructure designed to support reliable and compliant data Processing. The platform incorporates:
Global redundancy measures to maintain service continuity and availability in the event of localized disruptions.
These hosting arrangements are designed to provide a secure and resilient environment for the Processing of personal data.
AI & Automated Processing
Desku.io incorporates AI-driven features that are designed and operated in accordance with GDPR principles and applicable data protection requirements. All automated Processing within the platform is implemented with safeguards that ensure personal data is handled with the same level of protection applied to human-driven support activities.
To maintain alignment with GDPR obligations:
These measures ensure that AI-supported workflows function in a secure, transparent, and responsible manner, supporting GDPR-compliant data Processing throughout the automation lifecycle.
Data Processing Agreement (DPA)
Desku.io makes a GDPR-aligned Data Processing Agreement (DPA) available to all Customers that require a contractual framework governing the Processing of personal data. The DPA sets out the terms and conditions under which Desku.io processes personal data on behalf of the Data Controller and describes the technical and organizational measures implemented to ensure its security and confidentiality.
The DPA outlines:
All Subprocessors engaged by Desku.io are required to enter into a GDPR-aligned Data Processing Agreement to ensure consistency of obligations and protections across the entire processing chain.
Customers may request or download the DPA using the link provided on this page.
Your Rights Under GDPR Law
Individuals located in the European Union (EU), the European Economic Area (EEA), or the United Kingdom (UK) have specific rights under the GDPR in relation to the Processing of their personal data. When Desku.io processes personal data as a Data Processor, requests relating to these rights must generally be directed to the Data Controller. However, Desku.io will assist the Data Controller in responding to such requests where required by the regulation or by contract.
The rights available to Data Subjects include:
Right of Access
The right to obtain confirmation as to whether personal data is being processed and, where applicable, to receive a copy of that data.
Right to Rectification
The right to request the correction of inaccurate or incomplete personal data.
Right to Erasure
The right to request the deletion of personal data in circumstances permitted under Article 17 of the GDPR.
Right to Restrict Processing
The right to request the limitation of Processing in certain situations, such as when the accuracy of the data is contested.
Right to Data Portability
The right to receive personal data in a structured, commonly used, and machine-readable format, and to request its transmission to another controller where technically feasible.
Right to Object
The right to object to Processing carried out on the basis of legitimate interests or for direct marketing purposes.
Right to Withdraw Consent
Where Processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of prior Processing.
Right to Lodge a Complaint
The right to submit a complaint to a competent supervisory authority in the EU, EEA, or UK.
How to Submit a Request
Data Subjects may submit requests to exercise their GDPR rights through Desku.io’s designated request channels. Requests may be submitted:
By contacting the Desku.io Privacy Team at: support@desku.io
All requests will be handled in coordination with the applicable Data Controller, and Desku.io will provide reasonable assistance as required under the GDPR and relevant contractual obligations.
Subprocessors
Desku.io engages certain third-party service providers (“Subprocessors”) to support the delivery and operation of the platform. Where Subprocessors process personal data on behalf of the Data Controller, Desku.io ensures that:
Customers may view the current list of approved Subprocessors using the link provided on this page.
Data Transfers Outside the EU
When personal data is transferred outside the European Union (EU) or the European Economic Area (EEA), Desku.io implements lawful transfer mechanisms and safeguards in accordance with Chapter V of the GDPR. These safeguards include:
These measures are designed to ensure that international transfers of personal data are conducted in a secure and compliant manner.
Data Breach Policies
Desku.io maintains internal procedures for identifying, assessing, and responding to personal data breaches and other security incidents that may affect the confidentiality, integrity, or availability of personal data. These procedures are designed to support compliance with Articles 33 and 34 of the GDPR.
Desku.io’s commitments include:
Immediate internal escalation of suspected or confirmed security incidents.
These policies support a structured and compliant approach to breach management across the Desku.io platform.
Data Protection Officer & Contact Information
Additional information regarding Desku.io’s privacy practices can be found in the Privacy Policy.