Yes, Crossmint complies with GDPR!
The main objective of GDPR is protecting personal data and ensuring any data processing is consented to by the individual.
To that end, Crossmint does not process any personal data beyond what is absolutely necessary for the execution of the services contracted by the client and the use of the services by the user.
We do not share personal data with third parties unless when it's required for the execution of the services (i.e., Stripe for payments, Zendesk for support, or Persona for KYC).
Our internal procedures mandate that access to data is only available for authorized internal users. Additionally, to access personal data, these authorized users must authenticate using 2FA.
We have strong cybersecurity mechanisms in place to avoid breaches. We have implemented emergency response procedures in the unlikely event of a data breach. A full detail of our security measures is available upon request.
Finally, for transfers of EU personal data to our services in the US, we have a Data Processing Agreement in place, which includes Standard Contractual Clauses (SCCs) and an ad-hoc Transfer Impact Assessment (TIA) for each transfer. This ensures that any transfer of data is GDPR-compliant after the Schrems II decision by the EU Court of Justice. Similar DPAs are in place with our subprocessors and affiliates.
We follow all recommendations and policies required by GDPR, and we have an external consultant retained in Spain to support us in these efforts.