A: Thanks for the thoughtful questions — these are all very important considerations for any EU production deployment handling personal data.

Here are the details regarding NoCodeBackend’s GDPR and data protection approach:

1. Customer data is stored and processed using secure cloud infrastructure providers and services operated by trusted subprocessors.

2. At this time, EU-only data residency is not currently guaranteed. However, we take GDPR compliance seriously and implement appropriate safeguards for international data handling.

3. Yes — we provide a GDPR-compliant Data Processing Addendum (DPA):
https://www.nocodebackend.com/dpa

4. We do use subprocessors for infrastructure and related services. We are working toward providing a more detailed public subprocessor list and infrastructure transparency documentation.

5. International data transfers are protected using appropriate contractual safeguards, including Standard Contractual Clauses (SCCs) where applicable.

6. Yes — customer data can be permanently deleted upon request.

7. Deleted records may remain in encrypted backups for a limited retention period before permanent removal, in accordance with backup and disaster recovery practices.

8. Yes — data is encrypted both in transit (TLS/HTTPS) and at rest using industry-standard security practices.

9. Yes — we support GDPR-related data subject requests including access, deletion, and export requests.

Overall, NoCodeBackend is designed with GDPR compliance considerations in mind and can be used by EU businesses handling customer data. That said, we always recommend that businesses perform their own legal/compliance review based on their specific use case and regulatory requirements.