Does Cryptomator allow GDPR-compliant file storage?

Yes. This has been confirmed by the Belgian Council of State on August 19, 2021: When storing data in countries that don’t have data protection laws equivalent to the GDPR, organizations must implement supplementary measures. According to the judgement, encryption of said data is considered as an adequate supplementary measure.

In other words: If you use Cryptomator to encrypt personal data, the encrypted data can be stored GPDR-compliantly even outside the EU.

Is Cryptomator GPDR-compliant?

If you intend to store personal data (e.g. employee, customer, patient data, etc.), you must protect this data from access by third parties using suitable security measures. For example, GDPR articles 6, 32 and 34 explicitly refer to the possibility of encryption to protect data.

The use of Cryptomator is therefore such a technical security measure, which is suitable for storing encrypted data in your cloud. Please note that you usually have to sign an additional DPA with your cloud storage provider.

Do I need a Data Processing Agreement (DPA)?

Cryptomator runs as an application only on your PC or Smartphone. While we are the manufacturer of this software, we are no service provider and neither store, process or otherwise get in touch with your data. Therefore no DPA is needed to use Cryptomator. You keep full control over the data and are the sole person able to access to it!

Do I need a Data Processing Agreement (DPA) with my cloud storage provider?

Even if it is impossible to relate data to a person without the decryption key, a DPA might be necessary. We therefore recommend that you conclude a DPA with your cloud storage provider.