Everything you need to know about GDPR Compliance Hub — from getting started to technical details.
No questions match your search.
What the platform is and how to begin
GDPR Compliance Hub is a cloud-based SaaS platform that helps organisations manage their GDPR obligations in one place. It covers consent management, Data Subject Access Requests (DSARs), breach notification, data inventory and RoPA, risk registers, DPIAs, compliance audits, policy library, and vendor/processor management. It is designed for SMEs who need a structured, practical approach to privacy compliance — without needing a legal degree or a large compliance team.
You can create a trial account in under 2 minutes — no credit card required. After signing up, an onboarding wizard guides you through connecting your first website, adding team seats, and setting up your first processing activity. Most teams have their core workflows running within 24–48 hours.
Yes. Every paid plan (Cookie, Starter, and Advanced) comes with a 14-day free trial. No credit card is required to start. You get full access to all features of your chosen plan during the trial period. Enterprise plans are set up directly — contact us for a demonstration.
After 14 days, if you have not subscribed, your account enters read-only mode. Your data is preserved — you can still view everything, but you cannot create new records or run workflows until you activate a subscription. We send reminder emails at day 7 and day 13 of your trial so you are never caught off guard.
No. The platform is built for privacy leads, compliance officers, and business owners — not developers. The only technical step is adding a small JavaScript snippet to your website for the cookie consent banner. Everything else — DSARs, breach records, data inventories — is managed through a point-and-click interface. We also provide an API and webhooks for teams who want deeper integrations.
Absolutely. Most of our customers are SMEs without a full-time DPO. The platform is designed to be used by whoever owns privacy in your organisation — a compliance manager, HR lead, or even a founder. The role-based access system lets you assign different permissions to different team members, so the right people handle the right tasks.
Tiers, billing, upgrades, and limits
We offer four plans:
The Cookie plan is our entry-level tier designed for very small businesses, sole traders, and personal websites that need a compliant cookie consent banner but don't yet need full GDPR workflow management. It includes the consent banner, cookie category controls, script blocking, preference centre, and basic geo-display rules. It is billed annually at €72 (€6/month equivalent) and covers 1 website with 1 admin seat.
A seat is a user account within your company's workspace. Each team member who needs to log in — your DPO, legal counsel, HR lead, IT manager — requires one seat. Seats can be assigned different roles (Admin, DPO, Viewer, etc.) so you can control who can create, edit, or only view records. The number of seats included depends on your plan: 1 on Cookie, 5 on Starter, 25 on Advanced, unlimited on Enterprise.
Domain limits apply to the cookie scanner and consent banner module: 1 domain on Cookie, 3 domains on Starter, 15 domains on Advanced, and unlimited on Enterprise. Other compliance modules (DSARs, breach register, RoPA, etc.) are not domain-limited — they apply across your whole organisation.
Yes. You can upgrade at any time from the Billing section of your dashboard — your new plan takes effect immediately. Downgrading is available at the end of your current billing period. If you are on an annual plan, downgrades apply at renewal. Please note that downgrading to a plan with fewer seats or domains may restrict access to certain records until you are within the new limits.
Yes. Annual billing gives you roughly 2 months free: Starter saves €48/year, Advanced saves €238/year. The Cookie plan is annual-only at €72/year. Enterprise pricing is custom and negotiated annually.
We consider discounts for registered non-profit organisations and charities on a case-by-case basis. Please contact us with your organisation's registration details and we will work out an appropriate arrangement.
Modules, workflows, and capabilities
A Data Subject Access Request (DSAR) is a request from an individual to access, correct, delete, or restrict processing of their personal data — a right guaranteed under GDPR Articles 15–22. The platform provides an intake form, automated acknowledgement emails, a case management dashboard with SLA tracking, approval workflows, and a complete audit trail. The Starter plan includes basic DSAR intake; the Advanced plan adds automated workflows and deadline enforcement.
The Record of Processing Activities (RoPA) is a mandatory document under GDPR Article 30. It lists every activity where your organisation processes personal data — payroll, marketing emails, website analytics — along with the legal basis, data categories, data subjects, recipients, retention periods, and security measures for each. The platform's RoPA module guides you through building this register with a step-by-step wizard and keeps it up to date with review reminders.
You add a single JavaScript snippet to your website. The platform then scans your site for trackers and cookies, categorises them (strictly necessary, analytics, marketing, etc.), and displays a consent banner to visitors. Consent choices are stored in a tamper-evident log that can be presented as evidence to regulators. Script blocking ensures third-party scripts only fire after the visitor consents. You can customise the banner's appearance, text, and geo-targeting rules.
The breach register module guides you through the 72-hour GDPR notification deadline. Once you log an incident, the platform tracks the clock, helps you assess risk to data subjects, generates a draft authority notification (Article 33), and records the full incident timeline. If individual notification is required (Article 34), you can manage that workflow too. All breach records form part of your accountability documentation.
A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when a new processing activity is "likely to result in a high risk" to individuals — for example, large-scale processing of sensitive data, systematic profiling, or use of new technologies. The Advanced plan includes a DPIA module with pre-screening questions to determine if a DPIA is needed, structured templates aligned with Article 35, and a residual risk tracker.
Yes. You can export your RoPA, DSAR logs, breach register, audit evidence, and policy documents in PDF, CSV, and JSON formats. The Advanced plan also includes a read-only Auditor Portal where you can grant secure, time-limited access to external auditors without giving them a full user seat.
The core platform is built around GDPR (EU Regulation 2016/679) and UK GDPR. The audit and risk modules can be adapted for ISO 27001 / ISO 27701, SOC 2, and Bahrain PDPL frameworks. Enterprise plans include bespoke framework support and custom control mappings. We are continuously adding new frameworks — submit a request if you need a specific one.
Yes. The Advanced and Enterprise plans include a REST API and webhook connectors. The API allows you to push DSARs from your website, query consent records, and integrate with your existing CRM, ITSM, or HR systems. Webhooks let you receive real-time event notifications (e.g., a new DSAR submitted, a breach reported) in any system that accepts HTTP POST callbacks.
The risk register (Advanced plan and above) lets you document, score, and track privacy and security risks across your organisation. Each risk has an inherent score (likelihood × impact), a set of controls, and a residual score after controls. Risks can be linked to specific processing activities in your RoPA and assigned to owners for treatment. The register forms part of your Article 32 accountability documentation.
Where data lives and how it is protected
All customer data is stored on servers located within the European Economic Area (EEA). We use a managed PostgreSQL database hosted in the EU. Encrypted off-site backups are also stored in EU-region infrastructure. We never transfer your compliance records to third-country infrastructure for storage.
Yes. We manage our own GDPR obligations using our own platform — our DSAR log, breach register, RoPA, and processor records are all tracked in-app. We are established in Bahrain with a designated EU Representative under GDPR Article 27. We also comply with the Bahrain Personal Data Protection Law (PDPL, Law No. 30 of 2018). Full details are in our GDPR Compliance Statement.
All web traffic uses TLS 1.2 or higher enforced by our reverse proxy — unencrypted HTTP is redirected automatically. Sensitive credentials (such as SMTP passwords) are encrypted at the application level using AES-128-CBC with HMAC-SHA256 and per-company derived keys. All data at rest additionally benefits from disk-level encryption provided by our managed database host. Passwords are never stored in plaintext — we use SHA-256 hashing with a server-side pepper.
Yes. Under GDPR Article 28, we must have a DPA in place with every customer because we process personal data on your behalf as a Data Processor. Our DPA is available at dpa.html and can be accepted electronically (click-wrap). Acceptance is timestamped and stored in our system. We use Standard Contractual Clauses (EU Commission Decision 2021/914) to cover the transfer of data to Bahrain where our technical staff may access systems.
We use a small number of sub-processors, all contractually bound to process data only on our instructions:
A full, up-to-date list is in our GDPR Compliance Statement. We notify customers at least 30 days before adding any new sub-processor.
Your data is logically isolated per company. Only the seats you create within your account can access your data. Our platform staff may access data for support purposes only when you explicitly grant access, and such access is logged. We never use customer compliance data for our own analytics or marketing. All access is controlled by role-based permissions and full audit logging.
Managing your subscription and team
Go to Settings → Seats & Roles in your dashboard. Click "Invite seat", enter the person's name, email, and job title, and assign a role. They will receive an invitation email and can set their password on first login. The number of seats you can add depends on your plan. Administrators can also assign custom permission sets to individual roles.
Yes. Monthly subscriptions can be cancelled at any time; access continues until the end of the paid period. Annual subscriptions can be cancelled at renewal — mid-year cancellation is subject to our refund policy. You can cancel from Dashboard → Settings → Billing → Cancel subscription, or by contacting support.
We offer a 14-day money-back guarantee on new subscriptions. If you are not satisfied within the first 14 days of your first paid term, contact us for a full refund. After 14 days, refunds are pro-rated for annual plans in exceptional circumstances. Full details are in our Refund Policy.
Each company requires its own account and subscription. Multi-entity management — where a single super-admin can oversee multiple company workspaces — is an Enterprise plan feature. This is designed for holding groups, legal firms managing multiple clients, or DPO-as-a-service providers.
Support is available via the in-app Help & Support panel (click the help icon in your dashboard) or click Support button in the Admin Menu. Enterprise customers have a dedicated Customer Success Manager. We also have a documentation centre with step-by-step guides for every module.
Compliance, advice, and obligations
No tool can guarantee compliance — that depends on how your organisation processes data, the accuracy of the records you maintain, and the decisions you make. GDPR Compliance Hub provides the structure, workflows, and documentation to make compliance achievable and demonstrable. Final legal and operational decisions remain with your organisation. We strongly recommend working with a qualified legal advisor for complex processing activities.
No. GDPR Compliance Hub is a software platform, not a law firm. The templates, workflows, and guidance we provide are operational aids to help you implement compliance processes — they are not legal advice. For advice on your specific circumstances, legal basis assessments, or regulatory matters, please consult a qualified data protection lawyer or your DPO.
The platform does not replace a Data Protection Officer if your organisation is legally required to appoint one (GDPR Article 37). DPO appointment is mandatory for public authorities, organisations that carry out large-scale systematic monitoring, or those that process special category data at scale. If you are required to appoint a DPO, our platform is designed to dramatically reduce their workload by automating routine compliance tasks.
Our company is established in the Kingdom of Bahrain. Under GDPR Article 27, we have designated an EU Representative in the European Union. Our lead supervisory authority is the data protection authority of the EU Member State where our EU Representative is established. EU and EEA data subjects may also lodge complaints with their local supervisory authority regardless of where we are based. Contact details are in our GDPR Compliance Statement.
Our team usually responds within one business day. Or explore the documentation for step-by-step guides.