// auxiliary

GDPR Compliance

Data sovereignty is not a compliance burden. It is a foundation of trust.

Last updated: April 2026 · Regulation: EU 2016/679 · Supervisory authority: AKI (Estonia)

Our commitment

Samarkand Industries OÜ is a European company built on the principle that data sovereignty is not a compliance burden — it is a foundation of trust. We are subject to the General Data Protection Regulation (EU 2016/679) as a company established in Estonia, a member state of the European Union. The High Table is operated under this framework.

1. We are an EU data controller

Samarkand Industries OÜ is registered in Estonia. All core platforms operate within EU jurisdiction. We are not a US company with a European subsidiary. We do not have a dual-structure that places key processing decisions outside EU oversight.

We maintain an internal register of processing activities as required by GDPR Article 30.

2. Data residency

All personal data processed through The High Table is stored and processed within the European Economic Area. We do not use US-based cloud infrastructure for personal data storage. Where any third-party processor is outside the EEA, we apply the European Commission's Standard Contractual Clauses and conduct transfer impact assessments.

3. Data minimisation

We collect only what we need for specified, explicit purposes. Analytics configurations anonymise IP addresses. API logs store identifiers, not personal data in payloads. Biometric facial data is not collected — the Dossier Portrait is generated under an on-device face-detection guard enforcing face obscuration.

4. Processors and DPAs

All third-party processors are bound by GDPR Article 28 data processing agreements specifying scope, security obligations, subprocessing restrictions, data subject rights assistance, and 24-hour breach notification. Enterprise or Chapter operator counterparties may request a DPA with Samarkand Industries OÜ.

5. Security measures

Technical:

TLS 1.2+ in transit
AES-256 at rest
Role-based access and MFA
Regular penetration testing
Network segmentation
Daily encrypted backups (EEA) tested quarterly
End-to-end encryption for Comms with 24-hour default burn
Row-level security policies on every database table
Stripe webhook signature validation and LiveKit server-side token issuance

Organisational:

Need-to-know access controls
Data protection training for all personnel with data access
Documented incident response plan
Data Protection Impact Assessments (DPIAs) for high-risk processing

6. Breach notification

In the event of a personal data breach, we will:

Assess within 24 hours;
Notify the Estonian Data Protection Inspectorate within 72 hours where required (GDPR Art. 33);
Notify affected individuals without undue delay where high risk exists (GDPR Art. 34);
Document all breaches in our internal register.

7. Data subject rights

Right	How to exercise	Response time
Access (Art. 15)	Email or Dossier → Export my data	30 days
Rectification (Art. 16)	Email or Dossier settings	30 days
Erasure (Art. 17)	Dossier → Burn My Identity, or email	7-day grace, then 30 days
Restriction (Art. 18)	Email	30 days
Portability (Art. 20)	Email or Dossier → Export my data	30 days
Object (Art. 21)	Email	30 days
Withdraw consent (Art. 7)	Cookie manager, Dossier, or email	Immediate

No charge for requests. Identity verification may be required. Contact privacy@thehightable.international.

8. Children's data

The High Table is strictly for adults aged 18+. We do not knowingly collect data from minors and will delete any such data promptly on discovery.

9. Automated decision-making

We do not make decisions about individuals based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22). Adjudicator decisions on sanctions are made by human Adjudicators reviewing the facts; algorithmic signals (fraud flags, abuse reports) inform but do not determine outcomes.

10. Supervisory authority

Andmekaitse Inspektsioon (Data Protection Inspectorate)
Tatari 39, 10134 Tallinn · aki@aki.ee · aki.ee

Data subjects in other EU member states may contact their national supervisory authority.

11. Contact

Samarkand Industries OÜ — Data Protection
privacy@thehightable.international · Narva mnt 5, 10117 Tallinn, Estonia