GDPR Data Protection & Compliance Overview

Celigo’s Role in GDPR Compliance

Celigo complies with the General Data Protection Regulation (GDPR), a comprehensive data privacy law applicable to entities processing the personal data of individuals in the European Union (EU) and European Economic Area (EEA).

Understanding GDPR Roles

GDPR identifies three primary roles:

Data Subjects: Individuals within the EU/EEA whose personal data is collected.
Data Controllers: Determine how and why personal data is processed.
Data Processors: Process personal data on behalf of the Data Controller.

Celigo acts as a Data Processor when customers use our products like integrator.io, Integration Apps, and CloudExtend. In this capacity, Celigo processes data at the direction of its customers and does not control or repurpose such data.

When Celigo processes customer data for sales, support, or marketing, we act as the Data Controller, responsible for protecting that information in line with GDPR requirements.

Lawful Basis for Processing

As a Data Controller, Celigo ensures personal data is processed only under one or more of the six lawful bases defined by GDPR:
– Consent
– Contract performance
– Legal obligation
– Vital interests
– Public interest
– Legitimate interests

Types of Personal Data Processed

Celigo may collect and use the following personal data for sales, support, and business operations:
– Name
– Email address
– Unique customer identifier
– Order ID
– Payment and bank account details
– Transaction details
– Merchant name/ID
– Geographic location We do not knowingly process special categories of personal data in our internal business operations.

Governance and Oversight

Celigo integrates data privacy into its operations through regular training and engagement across all departments, the Executive Team, and the Board of Directors.

Our designated Data Protection Officer (DPO), **Jessica Mifflin (Sr. Director of Security and Compliance)**, leads GDPR strategy, compliance monitoring, and security initiatives company-wide.

Data Mapping and Inventory

Celigo has completed its Article 30 data mapping obligations, identifying what personal data we hold, where it resides, how it moves between systems, and how it is accessed and classified.

Information Security

Celigo maintains a comprehensive security program led by Jessica Mifflin (Sr. Director of Security and Compliance). Security measures include:
– Technical security measures (e.g. Intrusion detection, firewalls, and monitoring)
– Role-based access control
– Physical and environmental safeguards
– Employee background checks
– Secure Software Development Lifecycle
– Continuous testing across www.celigo.com, integrator.io, and cloudextend.io

Visit our Trust Center for more details.

Privacy Impact Assessments

Celigo conducts Privacy Impact Assessments (PIAs) where appropriate to evaluate privacy risks related to new or evolving data processing activities.

Responding to Data Subject Requests

As a Data Processor, Celigo has processes in place to respond to Data Subject Access, Correction, and Deletion Requests within 30 days, as mandated by GDPR.  Requests can be submitted via our online form.

Data Breach Notification

If acting as a Data Processor, Celigo will notify Data Controllers without undue delay upon discovering a breach. When Celigo is a Data Controller, we ensure timely notification to supervisory authorities within 72 hours, where required.

Cookies & Transparency

Celigo uses cookies in accordance with applicable privacy regulations and details our practices in our Privacy Policy.

Use of Subprocessors

Celigo works with authorized Subprocessors to help deliver our services. Subprocessors are subject to the same data protection obligations. View our current list of Subprocessors here.

Customer Responsibilities Under GDPR

– Provide appropriate privacy notices to your staff and clients.
– Use secure (HTTPS) endpoints when integrating with Celigo products.
– Only process data necessary for your business purposes.
– Implement lawful mechanisms (e.g., Standard Contractual Clauses) for cross-border data transfers.
– Notify supervisory authorities within 72 hours of becoming aware of a breach.
– Maintain documentation of GDPR compliance, including data flows and lawful basis for processing.

Who to Contact:

For GDPR-related inquiries, please contact:

Celigo Data Protection Officer: [email protected]

EU Representative (EDPO):
EDPO Contact Form
Address: Avenue Huart Hamoir 71, 1030 Brussels, Belgium

UK Representative (EDPO):
UK GDPR Form
Address: 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

Swiss Representative (EDPO):
Swiss Form
Address: Rue de Lausanne 37, 1201 Geneva, Switzerland

Updated: August 20, 2025 | v4