At Rocket.Chat, privacy is not just a requirement; it is a core part of our culture and the foundation of our product design. We are committed to building solutions that ensure secure communications for organizations, where privacy, data ownership, and data sovereignty are fundamental principles embedded by design.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that governs how personal data of individuals within the EU must be collected, processed, and stored. It aims to protect individuals' privacy rights and give them control over their personal data.
When does GDPR apply?
GDPR applies to any organization, regardless of its location, that processes personal data of individuals located in the European Union. This includes businesses offering goods or services to EU residents or monitoring their behavior.
Our approach to GDPR compliance
Below, we outline our commitment and approach to ensuring GDPR compliance for our users, clients, and stakeholders:
1 International data transfer
Rocket.Chat has a global customer base and operations, which require transferring data and access worldwide, including outside the EEA, UK, and Switzerland.
We have a robust Data Transfer Framework detailed in our Data Processing Agreement (DPA), which clients can sign. This framework allows lawful data transfers outside the EEA, relying on Standard Contractual Clauses.
Whenever we share your data, it is only with subprocessors listed on our Subprocessors page, who undergo due diligence and provide adequate protection and safeguards.
Our product can also be deployed in a self-hosted option, where clients host data on their own servers, maintaining full control and sovereignty over their data.
As described in our documentation, our cloud offerings use data centers in Europe, with data encryption as described in the Cloud Services Terms.
We maintain an annual report with information on government requests for user data, content removal, or account suspensions. Our policies follow the highest global standards for law enforcement requests.
Check our Privacy Policy for more information on our privacy practices.
We also have product-specific privacy notices available here.
2. Data location & portability
For users on our cloud-hosted plans, data hosting locations are determined based on the contracted plan and as specified in our Cloud Services Terms. This approach is designed to reduce latency, improve performance, and ensure compliance with privacy and data protection standards.
We provide documentation and tools that allow clients to export their data, ensuring data portability in line with GDPR requirements.
Note: While we guarantee data portability, if the client requests us to perform the export, this will require support from our Professional Services team and is not included in the standard offering.
3. Individual rights & consent
Our product is designed to support clients in meeting their GDPR obligations, particularly regarding the right to erasure (“right to be forgotten”), by enabling the deletion of user data within the platform.
According to workspace settings, administrators can delete user accounts, including their own, directly from the Admin Portal. Depending on the plan, clients may also have access to audit logs and a moderation panel, which enhance data visibility and control and support GDPR compliance.
For managed workspaces (e.g., open.rocket.chat), users can request to exercise their rights through the Data Subject Request Form detailed in our Privacy Policy.
Users can also contact us at [email protected] with data-related requests, and we will provide guidance and support to help them exercise their rights.
4. Choice & consent
We prioritize transparency, data minimization, and purpose limitation in all our data practices. Full details are outlined in our Privacy Policy.
By default, our product is designed not to access or store user-level data from client workspaces. We do not retain identifiable information about individual users; for example, we cannot identify a user by login credentials, as we only retain information related to the workspace and its administrator.
We also do not access any client data within their workspaces, even when hosted on our cloud infrastructure.
For more information about how we handle requests from authorities, visit our Law Enforcement page.
Additional commitments
We maintain a comprehensive set of technical and organizational measures, as outlined in our Data Processing Agreement (DPA), available for client signature. These safeguards demonstrate our ongoing commitment to privacy and GDPR compliance.
Specifically, we:
Hold relevant security certifications and provide detailed documentation of our security practices in our Security Center, recognizing that effective data protection depends on strong security safeguards.
Deliver privacy, security, and confidentiality training tailored to our business and regularly reinforced across all teams;
Maintain a structured list of Subprocessors, organized by category (e.g., infrastructure, partners), to facilitate client review and risk assessment.
Conduct supplier due diligence as part of our procurement and vendor management processes.
Perform Data Protection Impact Assessments (DPIAs) where required;
Carry out internal privacy audits to ensure ongoing alignment with best practices and regulatory expectations.