UAB Baltsoft ("Baltsoft") is committed to complying with the General Data Protection Regulation ("GDPR"). The GDPR regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give European Union ("EU") citizens more control over their data and seeks to unify several existing privacy and security laws under one comprehensive law. The GDPR applies to all companies that do business with EU citizens or process data of EU citizens regardless of the location of the company that is processing such data. To that end, the GDPR applies to Baltsoft.

Our customers can trust that Baltsoft has made GDPR a priority and has devoted significant and strategic resources toward our efforts to comply with GDPR.

Like many other global software companies, Baltsoft is in the process of rolling out its company-wide GDPR compliance program starting on May 25, 2018. Baltsoft appreciates that its customers have requirements under the GDPR, which are directly impacted by their use of Baltsoft’s products and services, and Baltsoft is committed to helping its customers fulfill their requirements under the GDPR and local law.

Baltsoft will keep you informed through its website about its compliance with the GDPR requirements; however, should you have any questions or concerns, please do not hesitate to contact us at
Are you looking for a Data Processing Agreement (DPA)? Read how to sign a DPA between your company and ConvertAPI.

Frequently Asked Questions

Does my data need to be stored in Europe?

No. The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism is in place to protect the data once it leaves the EEA. The GDPR does not invalidate or override the EU Model Clauses or the EU-U.S. and Swiss-U.S. Privacy Shield Framework, which is both legally valid mechanisms to ensure the legal transfer of personal data into and out of the EEA. The Company ensures that its customers can comply by offering its customers a data processing agreement ("DPA") that incorporates the Model Clauses as approved by the European Commission.

Is it required for me as a customer of Baltsoft to have a DPA with Baltsoft?

If you have determined that you qualify as a data controller under the GDPR (please see the definition of the data controller and data processor below), and need a data processing agreement in place with vendors that process personal data on your behalf, we want to help make thigs easy for you. Our GDPR compliant DPA is available for review here and ready for your agreement (by electronic acceptance within the ConvertAPI application). By agreeing to enter into our DPA you are ensuring that adequate safeguards are in place concerning the protection of such personal data as required by EU Data Protection Laws.

What happens if I don’t have a current agreement with Baltsoft?

The DPA is an addendum to and is incorporated into a reference in the main Agreement between Baltsoft and its customers. The customer entity signing the DPA must be the same as the customer entity party to the main Agreement. If the customer entity signing the Baltsoft DPA is not a party to the main Agreement directly with Baltsoft, but is instead a customer indirectly of Baltsoft services, this DPA is not valid and is not legally binding. Such an entity should contact the authorized Baltsoft customer to discuss whether any amendment to its agreement with such Baltsoft customer may be required.

Does the GDPR apply to companies that are established outside the European Union?

Yes. The GDPR applies to all companies regardless of where it is located to the extent the company process personal data in the context of (A) offering goods and services (whether paid or not) to people in the EEA; or (B) monitoring the behavior of people in the EEA, for example by placing cookies on the devices of EEA individuals.

Is it required to have consent from individuals to process their personal data?

Consent is only one of the legal bases a company can use for the processing of personal data. For example, the company can process personal data (A) when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party; (B) when there is a legal obligation to do so (such as the submission of employee data to tax authority); and (C) sometimes even based on legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.

What is the difference of "data controller" and "data processor"?

Data Controller is the owner of their information and decides how that information should be used (e.g. Baltsoft customer). Data Processor is an entity that processes the personal data of the Data Controller and carries out instructions of the Data Controller concerning this data (e.g. Baltsoft). Formal definitions from the GDPR full text may be found at

Does the GDPR require encryption of all personal data?

No. The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures, which are appropriate to the risks presented. Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. The following are kinds of security actions considered “appropriate to the risk” (1) the pseudonymization and encryption of personal data (as mentioned); (2) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

What sub-processors does Baltsoft use?

Baltsoft uses these sub-processors:

IBM Cloud
Paddle (sales processor)
Bluesnap (sales processor)
Crisp (chat and helpdesk)

If you have questions about Baltsoft, GDPR commitment or if you would like to submit an inquiry about your personal data, please let us know. A Baltsoft representative will be in touch shortly.

NOTE: The FAQ information is provided by Baltsoft for informational purposes only and is not intended to serve as legal advice. You should contact your attorney to obtain advice with respect to any particular GDPR question, issue, or problem.
Was this article helpful?
Thank you!