All Collections
Security and Privacy
General Data Protection Regulation (GDPR) at Jottacloud
General Data Protection Regulation (GDPR) at Jottacloud

How Jottacloud is handling GDPR compliance.

Updated over a week ago

The General Data Protection Regulation (GDPR) is a set of rules (directive) designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for businesses so both citizens and businesses in the European Union can fully benefit from the digital economy.

The GDPR came into force on May 25 2018. Jottacloud is committed to GDPR compliance across all products and services. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts.

Protecting your data

As a Jottacloud customer, your data will be treated in accordance with the GDPR legislation. Security of our customers data is our number one priority. More info on our technichal and organizational security measures can be found in this article on Security in Jottacloud.

Our datacentre Green Mountain SVG1 - Rennesøy is certified with i.a. ISO/IEC 27001:2013 – Information Security Management System.

Compliance with GDPR

Jottacloud follows the principles for processing personal data in the GDPR and the Personal Data Act, and has implemented a data protection strategy to ensure compliance with the GDPR. All processing of personal data is assessed and regularly revised against these security principles, in order to minimize risk to the data subjects' rights. Breach of security that affects registered persons' personal data is notified via e-mail or Jotta's direct messaging system.

The purposes for processing personal data are described in our Privacy Policy and in our Terms of Use. Here we also describe how long we store personal data, and what rights the data subjects have under the GDPR, including:

The right to be forgotten - how users can exercise their "Right to be forgotten"

Right to restricted processing - How users can exercise therir right to restricted processing under GDPR with Jottacloud.

We also collect cookies, this is described in our Cookie statement.

All employees in Jotta AS are subject to a duty of confidentiality, and we have the option of giving employees customized and limited access to personal data.

Jottaclouds data processors

Jottacloud use the following data processors, and have signed Data processing agreements with them which includes the updated standard contractual clauses (EU) 2021/914. These subprocessors have their main storage location in the United states of America:

Stripe, Inc. - Payment Processing -

Intercom, Inc - Support ticketing and customer communication -

Google Firebase and Crashlytics - Android Mobile App improvement and analytics -

Mailchimp - Customer communication -

Data Protection Officer (DPO)

Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR. Jottacloud has appointed a DPO that can be contacted at

Jottacloud as a dataprocessor

Jottacloud processes personal data on behalf of business customers and partners, and follows legal instructions given by these data controllers. Jottacloud records and regularly audits processing activities carried out on behalf of the data controller, and seeks to minimize the risk for the data subjects. Breach of security that affects the data subject's personal data is notified via e-mail to the data controller.

European businesses loacated in EU or EEA countries are required to sign a Data Processing Agreement (DPA) with vendors to comply with European Data Privacy laws (GDPR). Jottacloud has updated the DPA to include the updated standard contractual clauses (EU) 2021/914

Frequently asked questions

Does Jottacloud comply with GDPR (General Data Protection Regulation) with regards to the data of Jottacloud customers?


Jottacloud follows the principles for processing personal data in the GDPR and the Norwegian Personal Data Act, and takes the necessary measures to ensure that we are in compliance with the GDPR.

Can I view Jottacloud’s data processing agreement (DPA)?

Does Jottacloud collect any personally identifiable information from customer’s applications about their users, and what kind of data?

Jottacloud collects name, email address, and in some cases phone number.

Where is the Jottacloud data stored geographically? Under which jurisdiction?

All Jottacloud data is stored in Norway. 

Our datacentre Green Mountain SVG1 - Rennesøy is certified with i.a. ISO/IEC 27001:2013 – Information Security Management System.

How long is the data retained for?

Data will remain in your Jottacloud account until your data retention period expires for that data, or you manually choose to delete this information from your account settings. The data retention period is normally 90 days.

How do I prevent sensitive data from being sent into Jottacloud?

You are in complete control of the data you choose to send to Jottacloud. You can delete such data from Jottacloud at any time by accesing the service through our apps or website.

Further information

If you have additional concerns or questions about GDPR compliance, feel free to contact us at or

Did this answer your question?