Executive Summary

EasyData processes personal data exclusively on behalf of clients through OCR and document processing. The distinguishing principle: we do not store client data. All processing happens in real-time without persistent storage of personal data, making our services inherently privacy-friendly and significantly minimizing risks. This approach aligns with our commitment to keeping client data safe at every step.

Description of the Processing

Purpose of the processing

EasyData B.V. offers OCR and document processing services to business clients and government organizations. The purpose is to digitize, recognize, extract and return structured data from documents in real-time. Our data capture technology handles everything from invoice processing to complex document classification.

Specific processing purposes:

  • Real-time conversion of documents to searchable text
  • Automatic extraction of data (invoice data, contract data, etc.)
  • Classification and indexing of documents
  • Validation and enrichment of extracted data via validation processes
  • Direct return to client via APIs

Core Principle

All processing happens in RAM memory. Documents are received, processed, returned and immediately deleted from memory. There is no persistent storage of client documents or extracted personal data. Learn more about how we handle data safety in Europe.

Categories of personal data

Regular personal data

  • Name, address, city details
  • Contact information (phone, email)
  • Date and place of birth
  • National identification numbers (government clients only)
  • Identification numbers
  • Financial data
  • Employment data
Regular personal data is processed in RAM only, with zero persistent storage. Learn about our anonymization capabilities →

Special categories of personal data

(Limited, only if explicitly agreed)

  • Medical data (when processing healthcare documents)
  • Criminal record data (only for government clients with legal basis)
Special categories require additional processor agreements and DPO approval before processing. Our responsible AI approach →

How we process documents

🔒 1

Secure Receipt

Document arrives via encrypted TLS 1.3 connection

Certificate pinning + no weak ciphers
2

RAM Processing

Document enters isolated RAM memory, never touches disk

Swap/pagefile disabled on all servers
🔍 3

OCR Analysis

OCR engine extracts structured data entirely in RAM

AI-powered recognition + validation
🚀 4

Data Return

Extracted data returned instantly via API

JSON/XML, real-time delivery
5

Secure Wiping

RAM overwritten and container destroyed immediately

Zero residual data, zero risk

Risk Identification and Analysis

Due to the absence of persistent data storage, all risks are limited to the short processing time (seconds to minutes). This makes our services inherently much safer than traditional processing services with data storage. Our ISO 27001 compliance framework provides the foundation for continuous risk management.

🔐

Unauthorized access during processing

During the short processing time, someone could gain unauthorized access to documents in RAM.

Likelihood
Impact
LOW
Mitigated by strong access controls and isolated container environments
📡

Data breach during transport

Interception of documents during transport to/from EasyData servers.

Likelihood
Impact
LOW
Mitigated by TLS 1.3 encryption and certificate pinning
📄

Incorrect extraction or classification

OCR errors lead to incorrect data extraction, potentially impacting decision-making.

Likelihood
Impact
LOW
Mitigated by high-quality OCR, validation, and human-in-the-loop verification

Incomplete removal from RAM

Theoretical risk that data fragments remain in RAM after processing is complete.

Likelihood
Impact
VERY LOW
Mitigated by secure memory wiping and automatic container destruction

Measures to Mitigate Risks

Technical measures

Transport & Encryption

  • TLS 1.3 mandatory for all communication
  • Certificate pinning for API connections
  • No support for weak cipher suites
  • End-to-end encryption option available
We score high on independent security benchmarks. See our security score →

In-Memory Processing

  • All processing in RAM (no disk writes)
  • Swap/pagefile disabled
  • Secure memory wiping after each transaction
  • Container-based isolation
  • Automatic container destruction
Container isolation means each job runs in its own secure sandbox with no data leakage between transactions.

Access Control

  • Multi-factor authentication (MFA) required
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Separated development, test and production environments
Our access controls follow the CIS hardening benchmarks for infrastructure security.

Monitoring & Logging

  • Real-time monitoring of all systems
  • Detailed audit logs (no document content)
  • Alerting for abnormal behavior
  • SIEM integration for security events
We use Grafana-based dashboards for real-time visibility across all processing systems.

Infrastructure

All data stays within the EU. We operate from European datacenters with full data sovereignty.

Personnel & Organization

  • Pre-employment screening
  • Mandatory privacy & security training
  • Annual awareness training
  • Code of conduct for employees
  • Data Protection Officer (DPO) appointed
Our teams in Apeldoorn and Yerevan follow the same strict security protocols. Learn about our development teams →

Residual Risks

Conclusion on Residual Risks

After implementing all measures above, only minimal residual risks remain that are inherent to any form of IT services. All residual risks are very low to low and are accepted.

Prior consultation with Data Protection Authority: NOT NECESSARY

Residual risks in detail

  • Zero-day vulnerabilities: Continuous monitoring and rapid patching minimize exposure time
  • Advanced persistent threats (APT): Our no-storage principle significantly limits potential damage
  • Natural disasters/calamities: Redundant infrastructure ensures continuity, no data lost

Rights of Data Subjects

Because EasyData does not store personal data, many rights of data subjects are practically not enforceable at EasyData. The responsibility lies with the client (data controller). Read more about our GDPR quick scan for organizations.

Right of access (Art. 15 GDPR)

EasyData has no stored data to access. Data subject must contact the client.

Since we process in RAM only, there is no dataset to query. The data controller manages all access requests.

Right to erasure (Art. 17 GDPR)

Automatically implemented by design: data is immediately deleted. No action needed at EasyData.

Our zero-storage principle means the right to erasure is fulfilled by default, without any manual intervention.

Right to rectification (Art. 16 GDPR)

Not applicable at EasyData. Client can have corrected documents reprocessed.

Documents can simply be resubmitted with corrections. No historical data needs updating.

Right to restriction (Art. 18 GDPR)

Client can stop processing by not submitting documents. EasyData stops immediately.

Processing only happens on-demand. No background data retention means stopping is immediate and complete.

Specific Considerations

Special categories of personal data (Art. 9 GDPR)

EasyData only processes special categories of personal data if:

  • Client has valid legal basis
  • Additional processor agreement is concluded
  • Extra security measures are implemented
  • DPO has approved
Healthcare organizations can rely on our experience with sensitive documents. See how we keep data safe →

Transfer outside EU

EasyData ensures:

  • All processing within the EU
  • No transfer to third countries
  • Sub-processors are EU-based
  • No remote access from outside EU
Full digital sovereignty with European datacenters only. No dependency on non-EU cloud providers.

Automated decision-making

OCR and data extraction is automated, but:

  • EasyData does not make decisions about data subjects
  • Output is used for human assessment
  • No profiling or automated individual decision-making
  • Responsibility lies with client
Our human-in-the-loop approach ensures that automated extraction always feeds into human decision-making.

Conclusion and Recommendations

General Conclusion

EasyData’s OCR and document processing services do not pose a high risk to the rights and freedoms of data subjects, provided all described measures are maintained.

The distinguishing no-storage principle is the most important risk mitigation:

  • No persistent storage = no data breach of historical data possible
  • Limited exposure time (seconds/minutes) = minimal risk window
  • Transient processing = privacy by design
  • Full GDPR compliance = trust from clients and data subjects

Recommendations

  1. Maintain the no-storage principle as core value of EasyData
  2. Actively communicate this distinguishing feature to (potential) clients
  3. Continue investing in security awareness for employees
  4. Renew this DPIA annually or upon significant changes
  5. Continue the ISO 27001 certification trajectory and consider NIS2 compliance for healthcare