Skip to content
Riven Cloud
Get Started

GDPR Compliance

Riven Cloud OÜ (registry code 14649572, VAT EE102133053), located at Sepapaja tn 6, Tallinn, 15551, Estonia, is an Estonia-registered company operating within the European Union. We are committed to protecting personal data in accordance with Regulation (EU) 2016/679 — the General Data Protection Regulation (“GDPR”) — and the applicable laws of the Republic of Estonia.

This page explains how we apply the GDPR to our services. It complements our Privacy Policy, Terms of Service, and Acceptable Use Policy.

Our roles: controller and processor

The GDPR distinguishes between the data controller (who determines the purposes and means of processing) and the data processor (who processes data on the controller’s behalf).

As a controller, Riven Cloud processes the personal data of our customers — account holders’ names, postal addresses, telephone numbers, email addresses, and billing information — to register accounts, fulfil orders, provide support, and meet our legal and tax obligations.

As a processor, when you run your own services on a Riven Cloud VPS, you decide what personal data you collect from your own users and how it is processed. In that relationship you are the controller and Riven Cloud is the processor, acting on your documented instructions. The terms governing that relationship are set out in our Data Processing Agreement (see below).

Lawful basis for processing

We only process personal data where we have a lawful basis to do so under Article 6 of the GDPR:

Your rights under the GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

The right to be informed — to know how your personal data is collected and used.

The right of access — to request a copy of the personal data we hold about you.

The right to rectification — to have inaccurate or incomplete data corrected.

The right to erasure — to request deletion of your personal data (“the right to be forgotten”), subject to data we must retain for legal or tax purposes.

The right to restrict processing — to limit how we use your data under certain conditions.

The right to data portability — to receive your data in a structured, commonly used, machine-readable format, or to have it transferred to another organization.

The right to object — to object to processing based on our legitimate interests or for direct marketing.

Rights related to automated decision-making and profiling — Riven Cloud does not make decisions about you based solely on automated processing.

To exercise any of these rights, contact us at [email protected]. We will respond within one month, as required by the GDPR. You may manage much of your data directly in the Client Area.

Data Processing Agreement (DPA)

If you process the personal data of EU/EEA data subjects on Riven Cloud infrastructure, the GDPR (Article 28) requires a written agreement between you (the controller) and us (the processor). We make a standard Data Processing Agreement available for this purpose.

↓ Download the Data Processing Agreement (PDF)

To put a countersigned DPA in place, download the document, complete your details, sign it, and return it to [email protected].

International data transfers

Riven Cloud OÜ is established in Estonia (EU), and some of our infrastructure is located outside the European Economic Area. Where personal data is transferred outside the EEA — for example, to a server you operate in one of our locations — we rely on appropriate safeguards under Chapter V of the GDPR, including the European Commission’s Standard Contractual Clauses (SCCs), which are incorporated into our Data Processing Agreement.

Sub-processors

Riven Cloud uses a limited number of sub-processors to deliver its services, such as data center operators and payment providers. Sub-processors are bound by contractual obligations consistent with the GDPR. A current list of sub-processors is available on request at [email protected]. We will give customers notice of any intended changes to our sub-processors so that they may object.

Data retention

We retain personal data only for as long as necessary to provide our services and to comply with our legal obligations. When you close your account, we remove as much customer information as possible, retaining only the records we are required by law to keep (for example, billing records for accounting and tax purposes).

Data security

Connections and data transfers between Riven Cloud and the client are carried out over the SSL/TLS protocol. Access to data processing, editing, and recording is restricted to authorized and personally trained personnel. We apply appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.

Data breach notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, Riven Cloud will notify the competent supervisory authority — the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) — without undue delay and, where feasible, within 72 hours, and will inform affected data subjects where required by the GDPR.

Supervisory authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), www.aki.ee.

How to contact us

For any questions about this page, our data protection practices, our Data Processing Agreement, or to exercise your rights:

Email us at: [email protected]

Call us at: +372 6026523

Or fax us at: +372 6850069

Or write to us: Riven Cloud OÜ (registry code 14649572, VAT EE102133053), Sepapaja tn 6, Tallinn, 15551, Estonia

This page was last updated on 1 July 2026.