GDPR Compliance

Last Updated: May 12, 2026

Our Commitment to GDPR

Greenlane (operated by Digi Mabble IT Solutions) is fully committed to the General Data Protection Regulation (GDPR). As a platform serving the European healthcare sector, we recognize that patient data privacy is not just a legal requirement but a fundamental pillar of our service.

Data Hosting & Sovereignty

To ensure maximum compliance and performance, all Greenlane production infrastructure is hosted on secure, enterprise-grade cloud servers located within the European Economic Area (EEA). We do not store or process patient-identifiable information on servers outside the EU without explicit contractual safeguards.

Data Processing Roles

Under GDPR, Greenlane operates in two distinct capacities:

  • Data Processor: When we handle patient information on behalf of our healthcare clients (the Data Controllers), we act as a Data Processor. We only process this data according to the explicit instructions provided in our Data Processing Agreement (DPA).
  • Data Controller: For the administrative data of our clients (e.g., login credentials, billing info), Greenlane acts as a Data Controller.

Technical & Organizational Measures

We implement state-of-the-art security measures to protect healthcare data:

  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Access Control: We enforce strict role-based access management (RBAC). Only authorized personnel can access the minimum necessary data for service delivery.
  • Audit Logging: All system activities related to data access are logged and monitored for security anomalies.
  • Incident Response: We maintain a rigorous data breach notification protocol in compliance with Article 33 of the GDPR.

Data Subject Rights

We facilitate our clients in honoring the rights of their data subjects (patients). This includes the right to access, rectify, port, and delete information. If a patient contacts Greenlane directly, we will forward the request to the relevant healthcare provider (Data Controller) without undue delay.

Sub-processors

We only utilize GDPR-compliant sub-processors (such as Paddle for billing and AWS/Azure for EU-based hosting). A full list of our sub-processors is available to our clients upon request as part of the Data Processing Agreement.

Contact

For any GDPR-related inquiries or to request our Data Processing Agreement (DPA), please contact our Data Protection Officer through our Contact Page.