Compliance
UK GDPR & Data Protection Act 2018
Sovereign Mail is a UK-based data processor built for UK data-protection law. Your data stays in the UK, under UK jurisdiction, with the safeguards UK GDPR requires of a processor.
How we comply
- Processor role. You are the controller; we process personal data only on your documented instructions (UK GDPR Article 28).
- UK-only data residency. All processing and storage stays in the UK — no international transfers, and outside US CLOUD Act reach.
- Data Processing Agreement. An Article 28(3)-compliant DPA is available, covering instructions, confidentiality, security, sub-processors, deletion and audit.
- Data minimisation & retention. We hold only what's needed to deliver and report on your mail, with retention you control.
- No tracking, by design. We don't use open- or click-tracking pixels or link rewriting — they surveil your recipients and leak their behaviour to a third party. Omitting them is better for your recipients' privacy and keeps your processing minimal under UK GDPR.
- Security. Encryption in transit, hashed secrets, access controls and two-factor authentication, audit logging, and a breach-notification process.
- Sub-processors. Kept to a minimal, UK-based set, listed transparently.
- Data-subject rights. We help you respond to access, rectification, erasure and portability requests.
Frequently asked questions
Where is my data stored?
In the UK only. All processing and storage stays within UK jurisdiction.
Are you a data controller or processor?
A processor. You are the controller; we process personal data only on your documented instructions.
Do you transfer data outside the UK?
No. There are no international transfers, which also keeps your data outside the US CLOUD Act's reach.
Can I get a Data Processing Agreement?
Yes. We provide an Article 28(3)-compliant Data Processing Agreement covering the required processor terms.
This page summarises our data-protection posture and is not legal advice.