GDPR compliance documentation

Here in the EU GDPR (General Data Protection Regulation) coming into effect in May this year.

Is Backendless compliant with this, and where can I find the documentation?

Hi Jorgen,

We take privacy very seriously. You can find our privacy policy at: We can guarantee GDPR compliance for the Managed Backendless accounts hosted in EU, however, when it comes to Backendless Cloud, it does not fall under GDPR compliance.


Actually Mark, you’re not quite right there.

“Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data by May 25.”

E.g. If Backendless Cloud, or any other database, is storing data on EU citizens, wherever it is based, has to comply with GDPR. It’s a real pain at the moment to make sure everything is complient.

I checked with our legal counsel before responding to your question, so it is not just my opinion.

It is important to note that Backendless does not collect data on EU citizens, your app does. Backendless is used to store data. Additionally, here’s an excellent write up (written by lawyers who know what they are talking about). The article lists three specific conditions when a US company would need to comply with GDPR (see the section 1 “Who must comply with the GDPR?”:

Hi Mark,

Sorry for the delay, but I was checking out in this end.
I am sure you have made sure that you are compliant with GDPR, as it doesn’t matter where in the world the data is actually stored. As long as the data is of an EU citizen, the datasystem has to be compliant.
Obviously the front-end (us) has to be compliant too.
Furthermore, and this is more for people reading this and not the backend, you have to have consent by the EU person to gather the data that you are storing.
I am not sure that people everywhere understand how big the implications of GDPR is, and the fact that it is not only EU that is affected.

Hi Mark
I’m scratching my head how to move forward right now, as many other europeans probably are.
When you say that Backendless does not collect data on EU citizens I’m going to argue that you (Backendless) in fact do so. When I create an account on your service, Backendless is the “Controller”.
When I collect user information on my app, I’m the “Controller” and Backendless is the “processer”.
So if you’re not doing anything with the cloud service and GDPR, are Backendless planning on becoming a member of the Privacy Shield Framework?
Best regards, Emil

Hi Emil,

The only information Backendless collects is the name/email of the developers who register with us to build their apps. Everything else is indeed collected by your app.

By following the definition of “processing” (paragraph 2 here), you’re correct that Backendless would be defined as a “processor”. With that said, Backendless fully complies with all the responsibilities outlined here and here.

Hope this clarifies the issue.