GDPR Compliance

Last updated: May 2026

At Vanaheim SRL (“Lambda,” corporate website vanaheim.io, product website onlambda.com), data protection is central to how we build and operate our platform. As a Romania-based company providing AI-powered communication tools for service-based businesses, we take our obligations under the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and Romanian Law 190/2018 seriously.

This page provides an overview of our GDPR compliance measures. For detailed information about how we process personal data, please refer to our Privacy Policy.

1. Our Role: Controller and Processor

Lambda operates in two capacities under GDPR:

• Data Controller — For the personal data of our business customers (account information, billing data, website visitors). We determine the purposes and means of processing this data.
• Data Processor — For customer data processed on behalf of our business customers. Businesses are the data controllers for their customer data and determine how it is processed. We act only on their instructions.

2. Data Processing Agreement (DPA)

We offer a comprehensive Data Processing Agreement to all business customers in accordance with GDPR Article 28. The DPA covers:

• The scope, nature, and purpose of data processing
• Types of personal data processed and categories of data subjects
• Obligations and rights of the data controller (business) and data processor (Lambda)
• Sub-processor management and approval procedures
• Data security requirements and measures
• Data breach notification obligations
• Data return and deletion upon contract termination
• Audit and inspection rights

To request a copy of our DPA, contact us at [email protected].

3. Data Residency: Azure West Europe

All customer data is processed and stored within the European Union. Our infrastructure runs on Microsoft Azure’s West Europe region (data centers in the Netherlands), ensuring:

• Data residency within the EU at all times
• Compliance with GDPR data localization expectations
• Access to Microsoft’s enterprise-grade compliance certifications, including ISO 27001, SOC 2, and GDPR compliance attestations
• Physical security, redundancy, and disaster recovery capabilities of Azure’s EU facilities

We do not transfer personal data outside the EU/EEA unless appropriate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision), and any such transfers are documented in our Privacy Policy.

4. Security Measures

We implement comprehensive technical and organizational measures to protect personal data in accordance with GDPR Article 32:

Technical Measures

• Encryption in transit: All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: All stored data is encrypted using AES-256 encryption.
• Access controls: Role-based access control (RBAC) limits data access to authorized personnel only.
• Authentication: Secure authentication mechanisms protect access to the platform and internal systems.
• Network security: Cloudflare provides DDoS protection, web application firewall (WAF), and traffic filtering.
• Vulnerability management: Regular security assessments, penetration testing, and dependency scanning.
• Logging and monitoring: Comprehensive audit logging of data access and system events.

Organizational Measures

• Data protection training for all team members
• Internal data protection policies and procedures
• Principle of least privilege for system access
• Vendor due diligence and DPA requirements for all sub-processors
• Regular review and update of security measures

5. Data Breach Notification

In the event of a personal data breach, we follow a structured incident response process in accordance with GDPR Articles 33 and 34:

• Detection and assessment: We maintain monitoring systems to detect potential breaches promptly and assess their scope, severity, and potential impact.
• Notification to supervisory authority: If a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Romanian supervisory authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notification to data controllers: If we are acting as a data processor, we will notify the affected business (data controller) without undue delay after becoming aware of the breach, enabling them to fulfill their own notification obligations.
• Notification to data subjects: If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected individuals directly (or support the business in doing so) in accordance with GDPR Article 34.
• Documentation: All breaches, including those that do not require notification, are documented with details of the breach, its effects, and remedial actions taken.

6. Data Subject Rights

We support and facilitate the exercise of data subject rights under GDPR Articles 15–22:

• Right of access (Art. 15) — Individuals can request confirmation of whether we process their data and obtain a copy.
• Right to rectification (Art. 16) — Individuals can request correction of inaccurate data.
• Right to erasure (Art. 17) — Individuals can request deletion of their data, subject to legal retention requirements.
• Right to restriction (Art. 18) — Individuals can request limitation of processing in certain circumstances.
• Right to notification (Art. 19) — We notify relevant recipients when data is rectified, erased, or processing is restricted.
• Right to data portability (Art. 20) — Individuals can receive their data in a structured, machine-readable format.
• Right to object (Art. 21) — Individuals can object to processing based on legitimate interest.
• Rights related to automated decision-making (Art. 22) — Individuals have the right not to be subject to decisions based solely on automated processing with legal or significant effects.

For business customers: Submit requests directly to [email protected]. We respond within 30 days.

For customers: Since your service provider is the data controller, please contact them first. We will cooperate with the business to fulfill requests promptly.

7. Sub-processors

We carefully select sub-processors and maintain Data Processing Agreements with each. Our current sub-processors are:

• Microsoft Azure — Cloud infrastructure, hosting, and AI processing (EU West Europe — Netherlands)
• Meta Platforms / WhatsApp — WhatsApp Business API messaging infrastructure (EU Ireland / Global)
• Cloudflare — CDN, DDoS protection, and website security (Global with EU-preferred routing)

Business customers are notified of changes to our sub-processor list in accordance with the DPA.

8. Supervisory Authority

Our lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing:

ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)
Website: anspdcp.ro

Individuals in any EU member state may also lodge a complaint with their local supervisory authority.

9. Contact Us

For any questions about our GDPR compliance, to request a DPA, or to exercise your data subject rights, contact us at:

Vanaheim SRL
Romania, European Union
Corporate website: vanaheim.io
Product website: onlambda.com
Email: [email protected]
Privacy / data requests: [email protected]