GDPR Compliance
Last updated: 2026-07-09
Compliance as architecture, not paperwork
PROTUE was built to process special categories of data (Art. 9 GDPR) on behalf of healthcare and third-sector organisations. Compliance is not an added layer: it is how the platform is built.
1. Clear roles
Each client organisation is the controller of its users' and workers' data. Bluix Group LTD is the processor under Art. 28 GDPR and processes data only on the controller's documented instructions. A DPA is executed with each organisation covering: subject matter and duration, nature and purposes, data and subject categories, security obligations, sub-processors, assistance to the controller and return/deletion of data.
2. Where data lives
All production data resides on servers in the European Union (Hetzner — Germany/Finland; Netcup — Germany for staging). No health data is transferred outside the EU to provide the service.
3. Technical and organisational measures (Art. 32)
- Encryption in transit (TLS) and at rest; vault documents encrypted with per-tenant keys.
- Multi-tenant isolation: each organisation's data is logically separated and unreachable by other tenants.
- Role-based access control with multi-factor authentication available.
- Audit trail: every access to documents and sensitive data is logged and reviewable.
- Daily encrypted backups stored on separate EU infrastructure.
- Secure erasure: the right to be forgotten is implemented via crypto-shredding (destruction of encryption keys) and audit tombstones, so erasure is provable without retaining the data.
4. Health data (Art. 9)
Health data is processed exclusively on behalf of the controllers, based on the lawful conditions they identify (e.g. Art. 9.2.h — health or social care purposes). The platform gives controllers tools to manage consents and notices, restrict access to authorised staff, trace every operation and support DPIAs.
5. Data breaches
In the event of a breach involving data processed on behalf of a controller, Bluix Group LTD informs the controller without undue delay upon becoming aware, providing the information needed for the 72-hour notification under Art. 33 GDPR.
6. Sub-processors
The list of sub-processors (EU hosting, payments, SMS) is set out in the Privacy Policy and available in updated form on request. Changes are notified to customers with a right to object.
7. Contact
For DPA, security or data subject requests: info@protue.com.