GDPR & data sovereignty
Your archives never leave your Azure tenant.
That changes the GDPR conversation. SmiKar's products are designed so archived SharePoint and Microsoft 365 content stays inside the customer's own Azure subscription, in the region the customer chooses — not in a vendor cloud.
Archived data stays in your own Azure tenant
Squirrel and Chipmunk archives live in your Azure subscription, in the EU region you choose. SmiKar never holds a copy.
Encrypted at rest, encrypted in transit
AES-256 at rest, TLS 1.2+ in transit. SmiKar manages the encryption keys for archive operations and provides each customer with a copy of their keys for independent access.
DPA available on request
Standard Data Processing Agreement, signed before contract. SCCs included where relevant.
Minimal personal data processed
Operational metadata (account IDs, SharePoint structure, audit logs). File contents transit Squirrel for compression and encryption, then land in your Azure storage account — SmiKar retains no persistent copy.
Data sovereignty by design
The single most important GDPR question for cloud archiving is: where does the data actually live? For Squirrel and Chipmunk, the answer is unambiguous — in the customer's own Azure Blob Storage account, inside the customer's own Azure subscription, in the Azure region the customer chooses.
SmiKar does not operate a multi-tenant cloud for customer content. We do not hold copies. We do not have access to the archive blobs except through customer-granted permissions on the customer's subscription. If the customer ends their contract, the data remains exactly where it always was — in their tenant.
The Squirrel processing layer is deployed per customer in the same Azure region as the customer's data. So when an EU customer pins their archive to West Europe, North Europe, France Central, Sweden Central, Germany West Central or any other EU region, the compression and encryption pipeline runs in that same region too. Content never leaves the region during processing.
For European customers this simplifies Schrems II analysis considerably: archived content stays inside EU Azure regions under Microsoft's EU Data Boundary commitments, with no traversal to non-adequate jurisdictions either in transit or at rest.
What personal data SmiKar processes
To operate the service, SmiKar processes a minimal set of operational metadata. Archived file contents transit Squirrel's processing layer for compression and encryption before being written back to the customer's own Azure storage account. SmiKar retains no persistent copy of customer content outside the customer's tenant.
Customer administrator accounts
Name, work email, role — used to authenticate to the SmiKar admin UI and contact for service notifications.
SharePoint structure metadata
Site, library, folder and file identifiers + sizes, used to plan and execute archive operations.
Audit and operational logs
Records of archive/restore operations against the customer’s subscription, for support and chain-of-custody.
Billing details
Company name, billing contact, purchase order metadata, retained for tax and contractual purposes.
Full detail of categories, retention and lawful basis is in the Privacy Policy.
Sub-processors
The third parties below process limited personal data on SmiKar's behalf. Customer archive content is notshared with any sub-processor — it remains in the customer's Azure subscription.
| Provider | Purpose | Region |
|---|---|---|
| Microsoft Azure | Hosting for the SmiKar control plane and the customer's archived data (in the customer's own subscription). | Customer-selected (EU regions available) |
| Formspree | Web form submissions (sales enquiries, downloads, newsletter signup). | United States |
| Google Analytics 4 | Website usage analytics — loaded only after explicit consent via the cookie banner. | Global (Google) |
| Microsoft Clarity | Anonymised heatmaps and session recordings — loaded only after explicit consent. | Global (Microsoft) |
We notify customers in advance of any material change to this sub-processor list.
DPA available on request
We provide a standard GDPR-aligned DPA covering controller/processor obligations, sub-processor management, security measures, audit rights and breach notification. Standard Contractual Clauses (SCCs) are included where required for transfers outside the EU/UK.
Request the DPAAccess, rectification, erasure
Where SmiKar acts as data controller for its own business records (e.g. sales contacts, newsletter signups), individuals can exercise GDPR rights — access, rectification, erasure, restriction, portability and objection — by emailing sales@smikar.com. We respond within one calendar month.
For data inside a customer's archive, the customer is the controller — requests should go to the customer's own Data Protection Officer. SmiKar supports the customer in fulfilling those requests via the product's search, restore and delete capabilities.
EU data can stay in the EU
Archive content lives in whichever Azure region the customer selects. EU and UK customers typically pin to an EU/UK region and rely on Microsoft's EU Data Boundary commitments. Where any limited SmiKar-side data does transit outside the EEA (e.g. operational support), it's covered by SCCs under our DPA.
72-hour notification commitment
In the event of a personal data breach affecting customer data, we notify affected customers without undue delay and within 72 hours of becoming aware, in line with GDPR Art. 33. Full breach handling, root-cause analysis and remediation procedures are documented in our Data Protection & Security Standards.
Have a procurement or DPO question?
We'll get a security or privacy questionnaire turned around quickly.