Compliance & Data Protection
This page describes how Breeze aligns with applicable data-protection regulations and recognized security standards, and how data-protection responsibilities are split between Sotera, partners, and end customers.
Roles under GDPR
Sotera processes personal data as a data processor, on documented instructions from the customer (or, in partner-led deployments, on the partner's instructions). The customer (or end customer) is the data controller and determines the purposes and means of the processing. Sotera does not use customer personal data for any purpose other than delivering the Breeze service.
Lawful bases for processing
The customer or partner determines the lawful basis for the personal data they upload to Breeze (typically Article 6(1)(b) contract performance, or Article 6(1)(f) legitimate interests for credential management).
Sotera additionally relies on Article 6(1)(f) — legitimate interests for a narrow, security-related set of processing activities required to operate the platform safely:
- Security audit logging. Breeze records source IP addresses and session metadata in audit events. IP addresses are personal data under GDPR; processing them for security, audit, and incident investigation is recognised as a legitimate interest in Recital 49 of the GDPR.
- Abuse and fraud prevention. Rate-limit counters and authentication-failure tracking process technical identifiers (IP, user agent) for the purpose of preventing brute-force and credential-stuffing attacks.
- Operational error monitoring. Error reports are forwarded to the error-monitoring sub-processor with directly-identifying personal data (email addresses) masked or omitted before transmission.
These legitimate-interest processing activities are limited to what is necessary to keep the service secure and available, and are weighed against the rights and freedoms of data subjects in line with Article 6(1)(f). They are not used for analytics, marketing, profiling, or any purpose unrelated to platform security.
Data residency
All primary processing of customer personal data — the operational database, object storage, application servers, and cache — takes place in Norway / EEA. See Network and infrastructure for the full hosting topology and Sub-processors for the small number of EU-resident operational sub-processors.
Data Processing Agreement (DPA)
A DPA is available. Sotera applies a two-tier model:
- Direct customers. Sotera signs a Data Processing Agreement directly with the customer. This DPA governs the processing terms between Sotera and the customer.
- Partner-led deployments. Sotera signs a Data Processing Agreement with the partner that has contracted for use of Breeze on behalf of end customers. The partner in turn signs a DPA with each of their end customers. The partner remains the operational point of contact for those end customers.
In both models, Sotera's commitments — confidentiality, sub-processor management, security measures, breach handling, support for data subject rights, and return or deletion of data on termination — are documented in the DPA.
To request a DPA, contact your Sotera account contact (direct customers) or your partner (end customers of a partner deployment).
ISO 27001
Sotera's information-security program is aligned with ISO/IEC 27001 Annex A controls. The relevant control families — access control, cryptography, operations security, communications security, system acquisition and development, supplier relationships, incident management, business continuity, and compliance — are mapped to documented internal policies and to the technical controls described in this Trust Center.
Formal third-party certification under ISO/IEC 27001 is on the roadmap. Until certification is achieved, Sotera does not represent the program as certified.
Data subject rights
Under GDPR, end users of a Breeze tenant have the following rights with respect to their personal data:
| Right | How it is supported in Breeze |
|---|---|
| Right of access (Art. 15) | Tenant administrators can retrieve the personal data of any user or credential through the admin UI; the user themselves can view their own profile data. |
| Right to rectification (Art. 16) | Personal data fields can be edited by the user (their own profile) or by an authorized tenant administrator. |
| Right to erasure (Art. 17) | Tenant administrators can delete user accounts and credentials. Users can delete their own account from their profile. Backups age out per the configured Atlas retention window. |
| Right to restriction (Art. 18) | Accounts can be deactivated (suspended) without deletion. |
| Right to data portability (Art. 20) | An export of a tenant's credential and user data can be provided in a structured, machine-readable format on request through your Sotera account contact (or your partner, in partner-led deployments). |
| Right to object (Art. 21) | Direct requests to Sotera (or the partner) for processing-specific objections are handled per the DPA. |
For end users of a partner-led deployment, requests should be directed to the partner; the partner will engage Sotera as needed.
Data minimization
Breeze captures only the data required to deliver the service:
- For users: name and email are sufficient for account creation. Additional fields are optional and tenant-driven.
- For credentials: fields are determined by the credential template the tenant has configured. The platform does not require fields that are not used by the chosen template.
Data retention
Breeze applies a three-stage user lifecycle (registered but not activated → active → deactivated → deleted), with the time spent at each stage configurable at both the Domain level and the Tenant level. A domain administrator sets the baseline that applies across all tenants in the domain; an individual tenant can override that baseline if its compliance or engagement requirements differ.
Out-of-the-box defaults are:
- Registered (not activated): account is deleted after 90 days of inactivity. Warning emails are sent before deletion (timing also configurable; defaults are first warning at 70 days, final warning at 85 days).
- Active: account is deactivated after 90 days without login. Warning emails follow the same configurable schedule.
- Deactivated: account is deleted 30 days after deactivation. Deactivated accounts can be reactivated by a tenant administrator within that window; once deleted, the account cannot be recovered.
These figures are the system defaults; the actual values applied to your data are whatever your domain or tenant has configured. For the full set of configurable timings, see User Administration › Life Cycle Management.
Backup retention is platform-managed at the database tier (continuous backup with point-in-time restore on the MongoDB Atlas cluster). Audit-log entries are retained alongside the tenant's primary data, on the same lifecycle.
Personnel security
Sotera personnel with access to production systems are bound by confidentiality obligations as part of their employment. Production access is granted on a least-privilege basis, requires individual authentication with MFA, and is reviewed periodically.
Compliance roadmap
The following items are part of Sotera's ongoing compliance program:
- Formal ISO/IEC 27001 certification.
- Adoption of a formal Legitimate Interests Assessment (LIA) for the security-related processing activities listed above.
- Self-service data-export tooling for the right to data portability.
- Continued expansion of automated security controls in the SDLC.
- Continued reduction of personal data exposure in operational telemetry.
- Migration of branding-asset hosting (logos) away from Cloudinary to an EU/EEA-resident provider, removing the only US-resident sub-processor from the platform.
This page will be updated as these items reach completion.