Security & Trust

Your data is handled
with rigorous care

DataMard operates as a compliant data processor. Every engagement is governed by a signed DPA, GDPR-aligned practices, and clearly defined security standards — before a single row of data is touched.

DPA+
Signed before every project
GDPR Art. 28
Compliant data processor
TLS 1.2+
Encryption in transit
30d
Data deletion after project close
Legal Framework

How we handle your data legally

DataMard acts as a Data Processor under GDPR Article 28. We never determine the purpose of processing — your business does. Our role is to execute data work safely, within clearly defined contractual boundaries.

Data Processing Agreement

A signed DPA is required before any project begins. It documents the scope of processing, data categories, retention periods, and your rights as data controller.

  • Signed prior to data access
  • Covers all sub-processors
  • Defines deletion obligations

Non-Disclosure Agreement

All engagements begin with a mutual NDA. Confidential information shared during scoping, discovery, or delivery is protected before any work starts.

  • Mutual — covers both parties
  • Signed before discovery calls
  • 3-year post-termination survival

Standard Contractual Clauses

For EU/EEA clients, data transfers to Armenia (a non-adequacy country) are governed by the EU's 2021 Standard Contractual Clauses (Module 2: Controller to Processor).

  • EU 2021 SCCs — current version
  • Attached as DPA annex
  • Covers all EU/EEA data transfers

Armenian Data Protection Law

DataMard is registered in Armenia and complies with the Armenian Law on Personal Data Protection (2015) as the baseline domestic framework.

  • Domestic legal compliance
  • GDPR applied as minimum standard
  • Stricter standard always prevails
Technical Measures

How we protect your data technically

Our technical and organizational measures (TOMs) are documented per engagement and available to clients on request.

Encryption in transit

All data transfers use TLS 1.2 or higher. No plain-text transmission of client data.

Encryption at rest

Data stored in cloud environments is encrypted at rest using provider-managed keys (AES-256).

Role-based access control

Access to client data is restricted to team members who require it for the specific engagement. Reviewed per project.

Secure file sharing

Client data is never transferred via email attachments. We use permission-controlled cloud storage with expiring access links.

Data minimization

We only request and process the minimum data necessary to deliver the agreed scope. Excess data is not retained.

Breach notification

In the event of a personal data breach, the client is notified within 48 hours of discovery with a written incident report.

Secure deletion

All client data and copies are securely deleted within 30 days of project close. Written confirmation provided on request.

Sub-processor transparency

All sub-processors (cloud providers, tooling) are listed in the DPA Schedule B. Clients are notified of any changes 14 days in advance.

Our Process

What happens at every engagement

From first call to project close, every step follows a documented data handling procedure.

01

NDA signed before discovery

We send a mutual NDA before the first scoping call. Nothing is shared in an unprotected context. The NDA covers all information exchanged during evaluation, even if we don't proceed.

02

DPA executed before data access

Once a project is confirmed, a DPA is signed before any data is shared. For EU clients, the SCC annex (Module 2) is included automatically. Schedule A is completed with the specific data categories for that project.

03

Minimum access, documented

We document who on our team has access to client data and why. Access is provisioned only for the project duration and revoked upon completion. We record this in our internal Register of Processing Activities (RoPA).

04

Secure data transfer only

Clients share data via permission-controlled Google Drive or an agreed secure channel. We never accept data via unencrypted email. Shared access is revoked when the project closes.

05

Deletion and written confirmation

Within 30 days of project close, all client data and working copies are permanently deleted. A written deletion confirmation is sent to the client. We retain no copies unless legally required.

Documentation

Request our compliance documents

Available to clients and prospective clients on request. Send us an email and we'll respond within one business day.

DPA

Data Processing Agreement

NDA

Non-Disclosure Agreement

TOMs

Technical & Organizational Measures

Sub-processors

Full list of approved sub-processors

Contact

Data security questions?

For security enquiries, vendor questionnaires, or to request compliance documentation — reach out directly.

DataMard — Data Protection Contact

Email: davit@datamard.com

Response time: Within 1 business day for general enquiries, within 30 days for formal data subject requests

Documents available on request: DPA, NDA, Technical & Organizational Measures (TOMs), sub-processor list