DATRUM's full record of how we handle data, secure our infrastructure, and align to GDPR, PCI DSS, and Ley 81 — written so prospects, auditors, and procurement teams can verify our claims in one read. If any of this isn't accurate, email [email protected] and we'll fix it.
Last reviewed: 2026-05-26 · Next review: 2026-11-26
GDPR
EU General Data Protection Regulation
DATRUM acts as a data controller for visitors to jldatrum.com and as a data processor for the client projects we deliver. We comply with Regulation (EU) 2016/679 across both roles.
Lawful basis (Article 6)
Consent — analytics cookies (Google Analytics 4). Opt-in only, via the banner. Storage_consent denied by default until accepted.
Legitimate interest — request logs (Cloudflare) needed to deliver pages and prevent abuse. No tracking identifiers stored.
Contract — diagnostic widget submissions (email + URL you give us) used to deliver your PDF report.
Transparency (Articles 13–14)
What data we collect and why — disclosed in section 04 below and on the privacy policy.
Some subprocessors (Google, Cloudflare, GitHub, Calendly) are US-based. Transfers rely on the EU–US Data Privacy Framework (where the subprocessor is certified) and on Standard Contractual Clauses (SCCs) as a backup. Cloudflare-edge processing happens regionally where possible.
PCI DSS
PCI DSS — Self-Assessment Questionnaire A
DATRUM does not store, process, or transmit cardholder data on its own infrastructure. When we deliver e-commerce projects for clients, we engineer payment flows that fully outsource cardholder data handling to PCI DSS Level 1 service providers — primarily Stripe, with Adyen as an alternative.
That architecture means the client merchant qualifies for SAQ A — the simplest, lowest-burden PCI DSS compliance tier — and DATRUM as a service provider operates within that scope.
✓SAQ A Self-Attestation (PCI DSS v4.0.1)
On behalf of DATRUM, I attest that for the period covered by this document, DATRUM:
Does not directly handle, store, process, or transmit account data (PAN, sensitive authentication data) on any DATRUM-controlled system.
Outsources all payment acceptance and processing to PCI DSS Level 1 third-party service providers via redirect or Stripe Elements / Stripe Checkout.
Implements only the SAQ A applicable controls — primarily around contracting with compliant service providers, securing payment-page URLs against tampering, and verifying provider compliance annually.
Maintains a list of Stripe and Adyen attestations on file and re-verifies them at each renewal cycle.
Signed: Julio Luque Valdés · Founder, DATRUM · 2026-05-26
SAQ A version: PCI DSS v4.0.1 (Dec 2024) · Next attestation: 2027-05-26
Honest framing: SAQ A is a self-attestation tier — not an audited certification like SOC 2 or ISO 27001. We publish this attestation so prospects can verify what we claim. If you need an audited PCI DSS report for a Level 1 / Level 2 merchant context, that's outside SAQ A scope; we'll architect with you and refer to a QSA partner.
Ley 81
Ley 81 de 2019 (Panama Personal Data Protection)
Every client site DATRUM delivers ships with Ley 81 controls built in — explicit consent collection, data-subject access mechanisms, retention controls, and breach-notification readiness. For our own jldatrum.com operations, we honor the same controls because much of our visitor base is in Panama.
Consent is collected before any non-essential data processing (Article 5).
Data-subject rights are honored within 15 working days (Article 18) via [email protected].
Retention is limited to the period necessary for the stated purpose (Article 6).
The Panamanian DPA (ANTAI) is our supervisory authority. Complaints may be filed at antai.gob.pa.
Diagnostic submissions — email + website URL + diagnostic answers. Source: the Diagnostic widget on the homepage. Purpose: generate and email you the PDF report. Retention: 24 months unless deletion requested.
Calendly bookings — name, email, meeting time, anything you type. Source: Calendly form (only triggered if you click "Schedule"). Purpose: confirm the meeting. Retention: per Calendly's own policy.
We do not collect: payment card data, government ID numbers, health data, biometric data, or any "special category" data under GDPR Article 9 / Ley 81 Article 7.
Subprocessors
Third parties that handle data on our behalf
The full, current list is maintained on its own page so we can update it without revising this document. See jldatrum.com/subprocessors for each vendor, what they receive, why, and where.
Your Rights
Data-subject rights and how to exercise them
Access — request a copy of the data we hold about you (GDPR Article 15 / Ley 81 Article 13).
Domain & email security — DKIM, SPF, DMARC enforced for jldatrum.com. HSTS preload, CSP, X-Frame-Options set on every page response. DNSSEC enabled.
Source code — Private GitHub repo with required signed commits and 2FA-mandated access for any contributor.
Secrets — stored as Cloudflare Worker secrets, never committed to source. Rotated on personnel changes.
Backup posture — static site (Git history is the backup), worker state is replicated edge-side by Cloudflare.
Endpoint security — DATRUM's working devices use full-disk encryption, OS-level firewall, and password managers (no shared passwords).
Incident Response
Breach response
In the event of a confirmed data breach affecting personal data, DATRUM will:
Notify affected data subjects without undue delay (GDPR Article 34 / Ley 81 Article 24).
Notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Article 33) — for Panama, ANTAI; for EU subjects, the lead supervisory authority of the data subject's habitual residence.
Publish a post-mortem at /security within 14 days describing what happened, what data was affected, and what mitigations are in place.
Report a suspected vulnerability or data exposure to [email protected]. We acknowledge within 48 hours.