Compliance and GDPR
Find the legal basis, the sub-processor list and how to exercise data rights.
Regulatory frame
Kabaido is a UK service operating under UK GDPR and the Data Protection Act 2018. For the business data you load into the platform you are the controller and Kabaido is the processor. The privacy policy at /legal/privacy sets out the lawful bases, and a data processing agreement summary is published at /legal/dpa with a countersignable copy available for customers who need one.
Data residency
Customer data resides in the United Kingdom region of our infrastructure providers.
Sub-processors
Kabaido uses five sub-processors, named in the data processing agreement: Supabase for the database and storage, Vercel for hosting, Stripe for payments, Resend for email and Anthropic for AI. We do not sell data and we do not run advertising trackers; cookies are essential only and the marketing website carries no tracking scripts.
Data subject rights
Access, correction, erasure, restriction, portability and objection requests are honoured. Email hello@kabaido.com and we will action the request; you can also raise concerns with the ICO. Organisation level export and deletion are covered on the data export and deletion page.
Certifications
ISO 27001 and SOC 2 programmes are on the roadmap and we state that plainly. We do not claim certifications we do not hold; the practices in this section are published so you can assess them directly.
Related documents
- Terms of service: /legal/terms
- Privacy policy: /legal/privacy
- Data processing agreement: /legal/dpa
- Acceptable use policy: /legal/aup
- Cookies: /legal/cookies