Data & Compliance

Our commitment: EdgeVenture is a small, solo-operated business. We do not have large corporate data infrastructure — we have one developer with direct access, minimal third-party dependencies, and no advertising business. We collect only what is needed, retain it only as long as required, and delete it when you leave.

Applicable Regulations & Frameworks

EdgeVenture aligns its data practices with the following regulations, as applicable to our clients and their locations:

GDPR (EU/EEA)

UK GDPR

CCPA / CPRA (CA)

Florida DPPA

PCI DSS (via Stripe)

CAN-SPAM Act

We operate under Florida state law (USA) and comply with the above frameworks to the extent they apply to the data we process and the locations of our clients.

Data Roles: Controller vs. Processor

Understanding who is responsible for what data is critical in any client-server relationship:

Data Type	Controller	Processor
EdgeVenture client accounts, invoices, project data	EdgeVenture	Stripe (payments), Resend (email)
End-user data collected by your custom app (your customers)	You (the client)	EdgeVenture (infrastructure), and any third parties your app uses

Important: When EdgeVenture builds and hosts a custom application for you, and your application collects data from your end-users (customers, employees, etc.), you are the data controller for that data. EdgeVenture acts as a data processor on your behalf. This means you are responsible for: providing a privacy notice to your users, obtaining any required consents, responding to your users' data rights requests, and ensuring your data collection practices comply with applicable law. If you need a formal Data Processing Agreement for this relationship, see Section 8.

Sub-Processors

A sub-processor is a third-party service that processes personal data on our behalf. We maintain a current list of all sub-processors and notify clients of changes. We review each sub-processor's privacy and security practices before use.

Sub-Processor	Location	Purpose	Data Categories	Safeguards
Stripe, Inc.	USA (global)	Payment processing	Name, email, billing address, card data	PCI DSS Level 1, SCCs for EU transfers
Resend, Inc.	USA	Transactional email delivery	Email address, notification content	SOC 2 Type II, DPA available
Cloudflare, Inc.	USA (global CDN)	DNS, CDN, DDoS protection	IP address, request metadata	ISO 27001, PCI DSS, GDPR DPA
Anthropic, PBC	USA	AI-assisted support replies (admin feature — optional)	Support ticket content (anonymized where possible)	Enterprise privacy policy, zero data retention option
Google LLC	USA (global)	Google Sites embed host, Google Analytics (if enabled)	IP address, session metadata	ISO 27001, SCCs, Google Cloud GDPR commitments
Shared hosting provider	USA	Physical server infrastructure for app hosting	All application data at rest	Physical security, server-level encryption, backups

We will notify clients at least 14 days before adding a new sub-processor. You may object to a new sub-processor within 14 days; if we cannot accommodate your objection, you may terminate your subscription without penalty.

Data Retention Schedule

We apply the following retention periods to different data categories:

Data Category	Retention Period	Basis	Deletion Method
Account profile & credentials	Active + 30 days post-cancellation	Contract	Hard delete from database
Project data, files, messages	1 year after project completion	Legitimate interest (support)	Hard delete from database & file storage
Invoice & billing records	7 years from transaction date	Legal (IRS / tax law)	Retained; personal details removed where possible after 7 years
Security & activity logs	12 months rolling	Legitimate interest (security)	Automated purge
Support ticket history	2 years from ticket close	Legitimate interest (support context)	Hard delete
Contact form submissions	1 year	Legitimate interest	Hard delete
Backup snapshots	Per tier (monthly/weekly/daily); oldest rotated out	Contract	Secure overwrite on rotation
All data (post-cancellation)	30-day grace period, then permanent deletion	Contract	Full database and file storage purge

Technical & Organisational Security Measures

Technical Measures

Encryption in transit: All connections use TLS 1.2 or higher. HTTP is redirected to HTTPS. HSTS headers are set on production.
Password security: Passwords are hashed with bcrypt (cost factor 12) and salted. Plaintext passwords are never stored or logged.
CSRF protection: All state-changing requests include a CSRF token verified server-side, with a fallback HMAC-signed token for cross-origin iframe contexts.
Rate limiting: Login, password reset, and contact endpoints are rate-limited by IP to prevent brute force attacks.
Two-factor authentication: TOTP-based 2FA is available for all portal accounts.
Session security: Sessions use Strict or None (for embed) SameSite cookies, are regenerated after login, and expire after 7 days of inactivity.
Input validation: All user input is validated and sanitized server-side. SQL queries use prepared statements exclusively.
Access control: Role-based access control (admin vs. client). Clients can only access their own data.
Automated backups: Application data is backed up per subscription tier (monthly, weekly, or daily). Backups are encrypted and tested periodically.
Dependency management: Security patches and dependency updates are applied regularly.

Organisational Measures

Minimal access: Only Leo Edge (the sole developer) has access to production data. No contractors or third parties have unilateral access.
Data minimisation: We collect only what is necessary to provide the service.
Privacy by design: Privacy considerations are built into the platform architecture, not bolted on afterward.
Incident response: We have a defined breach notification procedure (see below).
Subcontractor vetting: Any third-party service (sub-processor) used is reviewed for data protection practices before deployment.

Data Breach Response Procedure

In the event of a suspected or confirmed data security incident affecting personal data:

Timeline	Action
0–2 hours	Contain the incident: isolate affected systems, revoke compromised credentials, stop ongoing exfiltration if possible
2–24 hours	Assess scope: determine what data was affected, how many individuals, and whether the breach poses a risk to rights and freedoms
Within 72 hours	Notify affected clients by email and, where required by law, notify the relevant supervisory authority (e.g., ICO in the UK, applicable US state attorney general)
Notification content	Nature of the breach, data categories and approximate number of individuals affected, likely consequences, measures taken and planned to address the breach, contact point for further questions
Post-incident	Root cause analysis, remediation, and review of affected controls

To report a suspected security vulnerability: [email protected] with subject "Security Issue." We aim to respond within 24 hours.

Data Processing Agreements (DPA)

A Data Processing Agreement is a contract that governs how a data processor (EdgeVenture) handles personal data on behalf of a data controller (you, when your app processes your customers' data).

When You Need a DPA

You may need a DPA with EdgeVenture if:

Your custom application collects and processes personal data from your end-users (e.g., a customer-facing app, employee portal, or membership platform)
You or your customers are located in the EU/EEA or UK (where GDPR requires a DPA between controller and processor)
Your enterprise compliance policy or a client contract requires one
Your business is subject to HIPAA (see Section 11 below)

How to Request a DPA

Email [email protected] with the subject line "DPA Request" and include:

Your business name and location
A brief description of the personal data your app collects from your users
The regulation(s) driving your requirement (GDPR, CCPA, etc.)

We will review and respond within 5 business days. Our standard DPA is modeled on GDPR Article 28 requirements and includes the categories of data processed, the purposes of processing, security obligations, sub-processor notification, and audit rights.

Client Compliance Obligations

When you use EdgeVenture to build and host an application that collects data from your own customers or employees, you take on the role of data controller. This means:

Privacy notice: You must provide your users with a clear privacy notice explaining what data you collect, why, and how they can exercise their rights
Legal basis: You must have a valid legal basis (consent, contract, legitimate interest, etc.) for each type of data you collect
Data subject rights: You are responsible for responding to your users' access, deletion, and correction requests — not EdgeVenture
Data minimisation: Only collect what you genuinely need for your stated purpose
Third-party integrations: If you ask us to integrate a third-party service into your app (analytics, payment processor, CRM, etc.), you are responsible for vetting that service's privacy practices and updating your privacy notice accordingly
Children's data: Do not use an EdgeVenture application to collect data from children under 13 (or under 16 in the EU) without implementing appropriate age verification and parental consent mechanisms
Breach notification: If you discover or suspect a breach of your users' data held in your application, notify your users promptly and comply with applicable breach notification laws

Need help with compliance? We can advise on basic data flows and point you toward the right frameworks, but we are not lawyers and this is not legal advice. For formal compliance guidance, consult a qualified privacy attorney or data protection officer. We're happy to provide technical documentation of how data is stored and processed to assist your legal review.

Exercising Your Data Rights

As an EdgeVenture client, you can exercise any of the following rights at any time:

Request Type	How to Submit	Response Time
Access — copy of your data	Email [email protected] subject "Data Access Request"	Within 30 days
Deletion — remove your account and data	Email or use portal account settings	Within 30 days; billing records retained 7 years
Correction — fix inaccurate data	Update in portal, or email us	Immediate (self-service) or within 7 days
Portability — export your data	Use portal export tool, or email for full export	Within 30 days
Restriction — limit processing	Email with details of concern	Within 30 days
CCPA request (California residents)	Email subject "CCPA Request"	Within 45 days
DPA request	Email subject "DPA Request"	Within 5 business days

We will verify your identity before processing sensitive requests. No fees are charged for standard requests. If a request is unusually complex or repetitive, we may charge a reasonable administrative fee (we will tell you before proceeding).

HIPAA Note

EdgeVenture is not currently HIPAA-compliant and does not execute Business Associate Agreements (BAAs). If your application will process Protected Health Information (PHI) — for example, patient records, medical histories, or health insurance data — you must not use our platform in its current form without first discussing your requirements with us. We can advise on what infrastructure changes would be needed to support HIPAA-compliant use.

Contact & Questions

For any data or compliance-related question — DPA requests, security reports, data rights, or general inquiries:

Leo Edge — EdgeVenture Web Solutions
Email: [email protected]
Subject lines: "Data Request", "DPA Request", "Security Issue", or "Compliance Question"
Contact form: edgeventure.vip/contact
Port Saint Lucie, Florida, USA

Related documents: Privacy Policy · Terms of Service