SeerDesk Logo

SeerDesk

GDPR Compliance

How SeerDesk protects your personal data in compliance with the General Data Protection Regulation (EU) 2016/679.

Last updated: February 2026

Our Commitment

Seer SAS is committed to protecting the privacy and personal data of our users, their employees, and their end users. As a company headquartered in Rennes, France, we fully comply with the General Data Protection Regulation (GDPR) and applicable French data protection law. We process only the data necessary to deliver our service, store it exclusively in the European Union, and give you full control over your information.

Data Controller

Seer SAS

3 Rue du Pre du Bois, 35000 Rennes, France

Email: contact@seerdesk.com

Data protection contact: contact@seerdesk.com

Legal Bases for Processing

We process personal data only when we have a lawful basis under Article 6 of the GDPR. Below are the legal bases we rely on, along with the data types associated with each.

Art. 6(1)(b)

Contract Performance

Processing necessary to perform the contract between SeerDesk and your organization.

  • - User accounts: username, email address, hashed password
  • - Machine registration: machine name, IP address, MAC address, Ed25519 public key
  • - Session management: session tokens with 24-hour expiry
  • - Invitations: email address, assigned role, organization
Art. 6(1)(f)

Legitimate Interest

Processing necessary for our legitimate interests in maintaining security and preventing abuse, balanced against your rights.

  • - Audit logs: user actions, IP addresses, timestamps, HTTP methods, resources accessed
  • - Rate limiting: IP addresses (200 requests/minute/IP)
  • - Security monitoring: authentication attempts, anomaly detection
Art. 6(1)(a)

Consent

Processing based on your freely given, specific, and informed consent, which you can withdraw at any time.

  • - Contact form submissions: name, email, company, message content
  • - Email queue: recipient address, subject, content (transactional and requested communications)

Data Minimization

We follow the principle of data minimization as required by Article 5(1)(c) of the GDPR. We collect and process only the personal data that is strictly necessary for the purposes described above.

  • - Zero-knowledge architecture: screen content, audio, and input data travel directly between peers via end-to-end encrypted WebRTC connections (DTLS/SRTP). Seer SAS servers never see or store your screen content.
  • - No unnecessary profiling: we do not build user profiles, track behavior across sessions, or sell data to third parties.
  • - Minimal account data: we collect only username, email, and a securely hashed password. No tracking identifiers or device fingerprints.
  • - Automatic expiry: session tokens expire after 24 hours. Rate-limiting data is ephemeral.
  • - Purpose limitation: every data field we collect maps directly to a specific technical requirement of the platform.

Data Storage & Security

EU-Only Data Residency

All personal data is stored exclusively in European Union data centers. No data is transferred outside the EU or EEA. This eliminates the need for Standard Contractual Clauses or adequacy decisions for international transfers.

End-to-End Encryption

All remote desktop streams are encrypted with DTLS/SRTP via WebRTC. Connections are peer-to-peer whenever possible. SeerDesk has zero access to streaming content.

Private Mesh Networking

Internal services communicate over an encrypted private mesh network. No internal service is exposed to the public internet.

Credential Security

Passwords are securely hashed before storage. Machine authentication uses public-key cryptography with challenge-response verification. No secrets are stored in plaintext.

Your Rights

Under the GDPR, you have the following rights regarding your personal data. We respond to all requests within 30 days.

-
Right of Access (Art. 15) - You can request a copy of all personal data we process about you, including audit logs accessible through role-based access.
-
Right to Rectification (Art. 16) - You can request correction of inaccurate personal data. User profiles and machine details can be updated via the platform or by contacting us.
-
Right to Erasure (Art. 17) - You can request deletion of your personal data. Machine deletion is available via the API and CLI. Full data deletion is performed on contract termination.
-
Right to Restriction (Art. 18) - You can request restriction of processing in certain circumstances, such as when contesting accuracy or opposing processing.
-
Right to Data Portability (Art. 20) - You can request your data in a structured, commonly used, machine-readable format. Full data export is available on request.
-
Right to Object (Art. 21) - You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

If you believe your data protection rights have not been respected, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertes), the French data protection authority, at www.cnil.fr.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Data Type Retention Period Justification
User accounts Duration of contract Contract performance
Session tokens 24 hours Automatic expiry
Audit logs 12 months Legitimate interest (security)
Rate limiting data Ephemeral (minutes) Legitimate interest (anti-abuse)
Machine registrations Until deletion or contract end Contract performance
Email queue Until sent, then 30 days Contract performance
Invitations Until accepted or 30 days Contract performance
Contact form data 12 months Consent

Sub-processors

We minimize reliance on third-party processors. Nearly all infrastructure is self-hosted on our own servers in EU data centers. The following sub-processors may process personal data on our behalf.

Relational Database

Primary data store for user accounts, machines, audit logs, and configuration

Self-hosted (EU)

Message Broker

Distributed state coordination for sessions and real-time messaging

Self-hosted (EU)

Authorization Engine

Role-based access control and permission management

Self-hosted (EU)

SMTP Provider

Transactional email delivery (invitations, notifications)

EU

Data Breach Notification

In the event of a personal data breach, we follow the procedures required by Articles 33 and 34 of the GDPR.

  • - Notification to the CNIL within 72 hours of becoming aware of a qualifying breach
  • - Notification to affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
  • - Full documentation of the breach, its effects, and the remedial actions taken
  • - Incident response procedures with defined escalation paths and responsibilities
  • - Post-incident analysis to prevent recurrence

Data Processing Agreement

A Data Processing Agreement (DPA) is available for all customers and can be executed upon request. The DPA covers the scope of processing, security measures, sub-processor obligations, breach notification procedures, and data subject rights. Contact us at contact@seerdesk.com to request a signed DPA.

Exercise Your Rights

To exercise any of your data protection rights, or if you have questions about how we process your personal data, please contact us using the details below. We will respond within 30 days of receiving your request.

Email: contact@seerdesk.com

Address: 3 Rue du Pre du Bois, 35000 Rennes, France

Response time: within 30 days