GDPR compliance at Exclaimer
Exclaimer complies with the EU General Data Protection Regulation (GDPR) and the UK GDPR. We process directory data for more than 80,000 organizations worldwide, with over 20 years of experience in email signature management behind every control we apply.
This page gives a high-level overview of our GDPR posture. For the formal compliance statement, see our data protection compliance statement.
For certificates, audit reports, and supporting documentation, visit the Exclaimer Trust Center.
Key facts at a glance
Exclaimer's role: Data processor under GDPR Article 28
European data storage regions: UK, EU (Ireland, Netherlands, and Germany)
Data Processing Agreement: Incorporated into EULA; standalone DPAs available on request
Data Protection Officer: Karl Bagci — [email protected]
How does Exclaimer handle my data under GDPR?
Under GDPR, Exclaimer is a data processor. Our customer is the data controller. We process directory data synced from Microsoft 365 or Google Workspace — names, email addresses, business contact details, and any custom attributes the customer adds to their signature design.
What we don't store:
Email message content: Messages pass through our cloud solution, the signature is applied in memory, and the message is returned to the customer's mail flow
Signature blocks: Deleted immediately after being applied
Email content during support: The only exception is when a customer gives express permission for Exclaimer to access email content to resolve a query
Client-side deployments: The signature is applied on the user's device before send. The email never passes through Exclaimer's infrastructure.
Where is Exclaimer data stored?
For customers whose data falls under GDPR or UK GDPR, Exclaimer hosts data within the appropriate region. EEA customer data is processed and stored in the EU. German customers are hosted in our dedicated Germany region. UK customer data is hosted in the United Kingdom.
We allocate each customer to a region at subscription. Once allocated, your data stays there. EEA personal data does not leave the EEA in normal operation, and EU–UK transfers are covered by the European Commission's UK adequacy decision (valid until 27 December 2031).
The one exception is technical support. If support is provided by an Exclaimer team based outside the EEA, EU Standard Contractual Clauses cover the transfer.
For the full region-to-data-center mapping, see our cloud endpoints page.
What third-party sub-processors does Exclaimer use?
Exclaimer uses a small number of sub-processors to deliver the service, covering cloud infrastructure, CRM, payment processing, technical support, and backup. Each is bound by a contract that holds them to the same data protection obligations Exclaimer accepts as a processor. EU Standard Contractual Clauses cover any sub-processor located outside the EEA or the UK.
Sub-processor categories include:
Cloud infrastructure (hosting and compute)
CRM and customer support platforms
Payment processing
Technical support services
Backup and disaster recovery
We notify customers at least 10 days in advance of any change to our sub-processor list, with the right to object before a new sub-processor is brought on. The current named list is set out in Annex III of our Data Processing Agreement.
How do I exercise my data subject rights with Exclaimer?
GDPR gives individuals rights over their personal data. Exclaimer's role depends on whose data is involved.
If you are an Exclaimer customer, contact [email protected] to exercise your rights over the data we hold about your account. We verify identity before action and respond within 30 days at no charge.
If your data is held by an Exclaimer customer (typically because your employer uses our service), contact that organization. As the controller, they handle your request, and we assist them where needed.
How to submit a Data Subject Access Request (DSAR)
Email [email protected] with your request
Provide identity verification as requested by our DPO
Receive a response within 30 days at no charge
How does Exclaimer handle a personal data breach?
If a personal data breach affects data we process on behalf of a customer, we notify that customer without undue delay. Exclaimer customers can report a suspected breach by contacting [email protected].
Exclaimer’s Data Protection Officer
Exclaimer has appointed Karl Bagci, Director of IT and Information Security, as our Data Protection Officer. The DPO is the contact point for data subjects, customers, and supervisory authorities on GDPR matters.
To contact our DPO, email [email protected]. Formal postal addresses are set out in your applicable Data Processing Agreement.
Does Exclaimer have a GDPR Data Processing Agreement?
Our Data Processing Agreement (DPA) sets out the formal contractual commitments behind the practices described on this page, including the technical and organizational security measures Exclaimer applies and customer audit rights.
The DPA is incorporated into Exclaimer's End User Licence Agreement (EULA). Customers who accepted the EULA since May 2018 are covered automatically. Standalone DPAs are available for legacy contracts or negotiated terms. Contact your Exclaimer representative to request one.
The current DPA is available at exclaimer.com/legal/dpa.
Where can I find Exclaimer's GDPR documentation?
For audit evidence, certificates, and supporting documentation, visit the Exclaimer Trust Center. You'll find pre-completed responses to over 350 security and compliance questions, along with the current DPA, audit reports, and policy documents available under NDA.
If your vendor review needs documentation that isn't in the Trust Center, contact our security team.
Frequently asked questions about Exclaimer and GDPR
No. The content of customer emails isn’t stored. Messages pass through Exclaimer's cloud solution, the signature is applied in memory, and the message is returned to the customer's mail flow. The only exception is a support case where the customer gives express permission for Exclaimer to access email content to resolve a query.
Customer data is hosted in Microsoft Azure datacenters, allocated by region at subscription. EEA customers are hosted in the EU, German customers in our dedicated Germany region, and UK customers in the United Kingdom. EEA personal data does not leave the EEA in normal operation.
The DPA is incorporated into Exclaimer's End User Licence Agreement, so customers who accepted the EULA since May 2018 are covered automatically. Standalone DPAs are available for legacy contracts or negotiated terms.
Karl Bagci, Director of IT and Information Security, is Exclaimer's Data Protection Officer. He can be contacted at [email protected].
If you are an Exclaimer customer, contact [email protected]. We verify identity before action and respond within 30 days at no charge. If your data is held by an Exclaimer customer because their organization uses our service, contact that organization. They are the controller and handle your request directly.
Exclaimer notifies the affected customer without undue delay after becoming aware of a breach. Customers can report a suspected breach by contacting [email protected].
EEA personal data does not leave the EEA in normal operation. The exception is technical support routed to an Exclaimer team based outside the EEA, where EU Standard Contractual Clauses cover the transfer. EU–UK transfers are covered by the European Commission's UK adequacy decision, valid until 27 December 2031.
Talk to our security team
If your vendor review needs documentation or context that isn't covered here or in the Trust Center, our security team can walk you through the specifics directly
Contact our security team