Skip to content
AskVault Docs
Try Free →

GDPR at AskVault, data deletion, export, and rights

Written by , Founder, AskVault · Reviewed by Aashiq
Last updated: · 5 min read

AskVault's role under GDPR

AskVault is a Data Processor. You (the AskVault customer) are the Data Controller for the visitor and end-user data you process through our platform. Three implications:

  1. You decide what data to collect from your end users.
  2. We process that data only on your instructions, governed by our Data Processing Agreement.
  3. End users exercise GDPR rights with you first. You then route the request to us if execution requires our infrastructure.

For most B2B SaaS customers using AskVault on a customer-support chatbot, this is the standard processor relationship.

The three customer rights, operationalized

GDPR grants several rights; three matter most for AskVault customers in practice.

Right to access (Article 15)

Visitors and end users can request a copy of their data. Two paths:

  • Customer-direct. You handle the request via the AskVault dashboard. Search Live Chat > Conversations by email or phone, export the matching conversations.
  • Whole-workspace export. Customers can export all workspace data via Dashboard > Settings > Export Data. Single zip file containing documents, conversations, leads, and audit logs. Typically 30 to 90 seconds for a Growth-sized workspace.

For deeper exports (raw vector embeddings, full audit trail), contact support@askvault.co.

Right to erasure (Article 17)

Visitors and end users can request deletion. Three deletion granularities:

  1. Per-conversation. Delete a single conversation under Live Chat > [conversation] > Delete. Cascades to messages and any captured leads.
  2. Per-end-user. Delete all conversations and leads from a specific email or phone. Use Live Chat > Conversations > Filter by email > Bulk Delete.
  3. Whole-workspace. Delete the entire workspace under Dashboard > Settings > Danger Zone > Delete Workspace. Cascade across documents, chunks, conversations, messages, leads, audit logs. Active database rows are removed within 10 seconds. Backups are purged within 30 days per our provider's retention policy.

After 30 days, deleted data is permanently unrecoverable.

Right to data portability (Article 20)

The export zip is in standard formats: JSON for structured data (conversations, leads, audit logs), original file format for uploaded documents (PDF, DOCX, TXT, MD, CSV). You can move to a competitor without lock-in. Conversation history is in a documented JSON schema (UTF-8, one JSON object per conversation).

The Data Processing Agreement (DPA)

AskVault publishes a standard DPA available on Growth and above. The DPA covers:

  • The processor-controller relationship.
  • Categories of personal data processed.
  • Security measures (AES-256, TLS 1.3, audit logs).
  • Sub-processor list (see below).
  • International transfers (Standard Contractual Clauses where applicable).
  • Audit rights.

Request the DPA under Dashboard > Settings > Legal > Download DPA. Enterprise contracts include the signed DPA by default with optional addendums for specific regulatory needs.

Sub-processor list

AskVault uses a small set of sub-processors to deliver the service. The current list is published at /docs/trust/sub-processors and updated when we add or remove any. We notify customers of changes 30 days in advance per our DPA.

Categories of sub-processors:

  • Database and storage (SOC 2 Type II certified managed Postgres provider)
  • Application compute (SOC 2 Type II certified hosting)
  • Edge, DDoS, WAF (SOC 2 Type II certified edge provider)
  • LLM providers (used per-query for the generation step; contractually opted out of training)
  • Email and notification delivery

Specific providers and regions are disclosed under NDA via the DPA.

EU data residency

The primary AskVault region is in Asia-Pacific. For EU data residency requirements:

  • Standard plans (Free, Starter, Growth, Business): data is processed in our primary region. Standard Contractual Clauses cover the EU-to-APAC transfer.
  • Enterprise contracts can request EU region deployment with primary processing in Frankfurt. Available on annual contracts with a 90-day implementation window.

For most B2B SaaS workloads, the SCC-covered transfer is sufficient. If your end users include public-sector or healthcare data subjects, the EU-region option may be required.

Right to object and restrict processing (Articles 21-22)

For requests under Articles 21 or 22 (right to object to processing, right to restrict processing):

  1. The end user contacts you.
  2. You assess whether the request is compatible with your legitimate processing basis.
  3. If granted, you can either delete the data (Right to Erasure path) or "freeze" the conversation by setting archived: true under Live Chat > [conversation] > Archive. Archived conversations are excluded from the AI agent's retrieval and analytics counts but remain on file.

AskVault doesn't make decisions about lawful basis on your behalf. You determine the basis for processing visitor and end-user data (consent, legitimate interest, contractual necessity, etc.).

For consent-based processing, AskVault supports cookie-free deployments (no localStorage, no cookies) and explicit opt-in capture via the collect_lead skill. Configure under Settings > Privacy > Cookie Mode.

Breach notification

If AskVault detects a security incident affecting customer data, we notify affected customers within 24 hours of confirmation, per our DPA and SOC 2 commitments. Notification goes to the workspace owner's email plus any designated security contacts.

Customers are responsible for the secondary notification to their own affected end users within the 72-hour GDPR window.

DPIA support

For customers conducting a Data Protection Impact Assessment (DPIA) for a high-risk processing use case (e.g., automated decision-making, large-scale processing of special-category data), AskVault provides a DPIA support package on Enterprise contracts. Contact security@askvault.co.

Common pitfalls

Customer asks for export, you can't find their data. They might be searching by an email that wasn't used during the conversation. Search by phone or by the conversation date range as well.

Deleted data shows up in old exports. Past exports are point-in-time snapshots; they don't reflect post-export deletions. Run a fresh export after every material deletion.

End user asks for full erasure, but you have legal obligation to retain. Some data (financial transactions, fraud-related logs) has retention requirements that override the erasure right. Document the legal basis and explain to the end user. AskVault supports per-record retention overrides on Enterprise.

International data transfer concerns. If your end users are EU residents and you're concerned about APAC processing, consider Enterprise with EU residency.

FAQ

Is AskVault registered with a data protection authority?

AskVault operates from India under the Indian Personal Data Protection Act framework. For EU processing we operate as a non-EU Processor under Article 27, with an EU representative listed in our DPA.

Can I get a signed SCC?

Yes, on Growth and above. Standard Contractual Clauses included with the DPA.

How long do you keep audit logs?

365 days on standard plans. Extended to 6 years on Enterprise (HIPAA-relevant minimum).

What happens to my data if I cancel my AskVault subscription?

Your workspace remains accessible in read-only mode for 30 days. Then it's deleted. Export your data within the 30-day window if you need it.

Can my end users contact AskVault directly for their data?

End users should contact you (the Data Controller) first. We don't have a direct relationship with your end users; we process their data on your behalf. If they reach out to us, we route them back to you.

Was this page helpful?