Overview

Obeya Cloud is committed to data privacy and compliance. This page covers GDPR compliance, data handling practices, export capabilities, and audit features.

GDPR Compliance

Obeya Cloud is fully compliant with the General Data Protection Regulation (GDPR):

Data Processing Agreement

A DPA is available for all paid plans. It covers the terms under which Obeya Cloud processes personal data on your behalf.

Data Minimization

We only collect and process data necessary to provide the service. No unnecessary personal data is stored.

Right to Erasure

Users can request deletion of their personal data. Admins can delete user accounts and all associated data.

Data Portability

Export all your organization’s data at any time in standard formats (JSON, CSV).

Data Residency

Choose where your data is stored during organization setup:
RegionLocationCompliance
EUFrankfurt, GermanyGDPR, EU data sovereignty
USVirginia, USASOC 2, HIPAA eligible
APACTokyo, JapanAPPI compliance
Data never leaves your chosen region. Backups, caches, and CDN content are all kept within the same region.

Data Export

Full Organization Export

Export all your organization’s data:
1

Request Export

Go to Settings > Data > Export All Data.
2

Choose Format

Select JSON (structured, includes all metadata) or CSV (human-readable, one file per board).
3

Receive Download

The export runs in the background. You will receive an email with a download link when it is ready (typically within minutes for small organizations, up to an hour for large ones).

Board-Level Export

Export individual boards from the board menu: Board Menu > Export > CSV/JSON/PDF.

User Data Export (GDPR Subject Access Request)

Export all data associated with a specific user:
  1. Go to Settings > Members and find the user
  2. Click Export User Data
  3. This generates a package containing all items created by the user, comments, files, and activity history

Data Retention

Data TypeRetention Period
Active data (items, boards, comments)While account is active
Archived itemsIndefinite (until manually deleted)
Deleted items (Trash)30 days
Deleted user accounts30 days (grace period)
Audit logsPlan-dependent (30 days to unlimited)
Backups90 days of point-in-time recovery
Canceled organization data30 days after cancellation

Configuring Retention

Enterprise plans can configure custom retention policies:
  • Auto-archive — Automatically archive items after N days of inactivity
  • Auto-delete — Automatically delete archived items after N days
  • Comment retention — Set maximum retention period for comments

Audit Capabilities

Activity Logs

Every data change is logged with:
  • Who — The user who made the change
  • What — The specific field and values (old and new)
  • When — Timestamp with timezone
  • Where — Board, item, and column context
  • How — Via UI, API, automation, or integration

Audit Log Export

Export audit logs as CSV from Settings > Security > Audit Log > Export. Enterprise plans can stream audit logs to external SIEM systems.

Security Certifications

CertificationStatus
SOC 2 Type IICertified
ISO 27001Certified
GDPRCompliant
HIPAAEligible (Enterprise)
CSA STARLevel 1
HIPAA compliance requires an Enterprise plan and a signed BAA (Business Associate Agreement). Contact sales for details.

Data Deletion

Deleting User Data

When a user account is deleted, the following happens:
  • Personal information (name, email, avatar) is removed
  • Items created by the user are preserved but the creator is shown as “Deleted User”
  • Comments by the user are preserved with the author shown as “Deleted User”
  • Activity log entries are anonymized

Deleting Organization Data

When an organization is deleted, all data is permanently removed after the 30-day grace period, including all workspaces, projects, boards, items, files, comments, and audit logs.

Sub-Processors

A list of third-party sub-processors used by Obeya Cloud is available at obeya.cloud/legal/sub-processors. We notify customers 30 days before adding a new sub-processor.