Data Privacy — GDPR & CCPA

Privacy designed in, from collection to deletion.

For InWork clients with EU customers or EU operations, we design GDPR-aware data handling. For California consumers, we build CCPA practices into every website and platform. Privacy by design is the default — not a configuration option.

GDPR-aware architectureCCPA-compliant practicesData minimizationEU data residency

Schedule a privacy review Request a proposal

General Data Protection Regulation

GDPR-aware architecture, available.

For InWork clients with EU customers or EU operations, we design GDPR-aware data handling. We do not hold GDPR certification — no such formal certification exists in the EU framework — but the architecture we build implements the regulation's core obligations.

That means data minimization (collect only what is needed), purpose limitation (use data only for the stated purpose), storage limitation (retention policies and deletion), and lawful basis documentation for each data processing activity.

Data subject rights

The rights we build workflows for.

Right of access — data subjects can see what is held about them

Right to correction of inaccurate personal data

Right to erasure — right-to-erasure workflows built in

Right to data portability

Right to object to processing

Lawful basis documented for each processing activity

DPA (Data Processing Agreement) with all sub-processors

EU data residency options (AWS EU-West regions)

California Consumer Privacy Act

CCPA practices on every site we build.

The CCPA gives California consumers rights over their personal data. US businesses with California customers must comply regardless of where the business is headquartered.

Consumer rights honored

Right to know, right to delete, right to opt out of sale or sharing, right to correct, and non-discrimination for exercising CCPA rights.

Privacy policy & data inventory

A privacy policy explicitly covering CCPA rights on all client websites we build, plus data inventory documentation covering what is collected, where it is stored, and retention.

Request process & opt-out

A consumer request process — form, email, response SLA — and a "Do Not Sell My Personal Information" link where required.

Vendor agreements

Vendor BAA or DPA for all data processors that touch consumer data.

Privacy by design

The default posture on every platform.

Every InWork platform collects the minimum data required, stores data only as long as necessary, does not use analytics platforms that process PHI without a BAA, provides user-facing privacy controls, and documents data flows from collection to deletion.

By design

GDPR-aware architecture available

Data minimization, right-to-erasure workflows, consent management, EU data residency, and DPAs with every sub-processor. We do not claim GDPR certification — we deliver GDPR-aware architecture that implements the regulation's requirements.

Compliance & SecurityFull regulatory coverage SOC2-Aligned SecurityControls & posture HIPAA-Aware DevelopmentPHI handling & BAA OWASP Top 10Application security

Compliance by design

Ship a product your EU and California users can trust.

Every InWork engagement includes a compliance architecture review at no extra cost. Tell us where your users are and what you're building.

Integrity. Urgency. Ownership.

Schedule a privacy review Request a proposal

40+ US businesses served · 65+ engineers · Zero long-term lock-in