Gelato Trust Centre
Gelato is a global print-on-demand platform serving 32 countries and 5+ billion people. The company holds ISO/IEC 27001 certification, follows GDPR, encrypts all data at rest and in transit, uses AWS hosting with EU data residency options, and performs regular penetration testing to maintain security while enabling businesses to scale globally.
Compliance
Controls
Data Processing Agreements (DPAs) tailored for GelatoCreate and GelatoConnect, outlining processor/controller responsibilities, regularly reviewed & updated
Policies for secure data retention, classification and disposal
Procedures for responding to data deletion requests
Minimal collection of personal data, limited to necessary purposes
Encryption is enforced for data transit and at rest
Regular system maintenance and security vulnerability patching
Routine backups of production data to secure off-site locations
Intrusion detection and continuous network monitoring
Privileged access to databases and networks strictly limited
Multi-factor authentication required for remote access
Frequent vulnerability scanning and prompt remediation
Annual continuity and disaster recovery (BC/DR) plan testing
Regular incident response plan reviews and tests
Defined access control request and approval procedures
Comprehensive vendor management and security reviews
Annual penetration testing with vulnerability remediation plans
Secure data encryption for both stored data and transmissions
Defined vulnerability management and system monitoring policies
Security requirements integrated into the development lifecycle
Automated security testing integrated into CI/CD pipelines
Employee background checks performed during onboarding
Mandatory regular security awareness training
Confidentiality agreements for employees and contractors
Secure electronic asset disposal and documented destruction process
Established whistleblower policy with anonymous reporting channels
Email address
Postal address
Phone number
Password
IP Addresses
Payment information
Additional data required for specific service functionalities, configurations, or operational requirements, depending on the Gelato service you use.
For further information, please review Gelato's Privacy Policy here: https://www.gelato.com/legal/privacy
Our key subprocessors
A more detailed list of subprocessors can be found on our Legal Page: (a) for GelatoCreate in the Data Processing Terms and (b) for GelatoConnect in the Data Processing Agreement
Trust & Security FAQ
Where can I find Gelato's Data Protection Officer (DPO) contact information?
You can reach Gelato's Data Protection Officer at [email protected]. For more details, please refer to our Privacy Policy
Where can I access Gelato's Data Processing Agreement (DPA)?
Gelato's Data Processing Terms are available here: Data Processing Terms
How can I manage or delete my personal data?
You can manage your personal data through the Gelato Dashboard. For formal requests, please email [email protected] with your full name, registered email, and a clear description of your request. Gelato Create | Help Center
How does Gelato manage sensitive credentials and secrets?
Gelato implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. We require our suppliers and service providers to protect personal data by contractual means. Data Protection
Does Gelato encrypt data at rest?
Yes. All customer data stored within our systems, including data in cloud storage, is encrypted at rest using industry-standard encryption protocols.
How does Gelato encrypt data in transit?
All data transmitted is secured using TLS 1.2 or higher. Additionally, we employ HSTS (HTTP Strict Transport Security) to enhance data security during transmission.
Does Gelato conduct regular penetration tests?
Yes. We partner with industry-leading security firms to perform comprehensive penetration testing annually.
Is Gelato ISO/IEC 27001 certified?
Yes. Gelato has achieved ISO/IEC 27001 certification, demonstrating our commitment to information security management. This internationally recognized standard confirms that we maintain a robust information security management system (ISMS) that follows industry best practices. Our certification covers all core business processes and is regularly audited to ensure ongoing compliance and continuous improvement. ISO:27001 Certification
Where are Gelato's servers located?
Our infrastructure is hosted on AWS, with available data residency options in the EU.
How does Gelato handle international data transfers?
When personal data is transferred outside the EU, Gelato ensures that adequate protection exists through appropriate contractual arrangements or as required by law. Data Transfer
How can I contact Gelato's Information Security team?
For information security inquiries, please email [email protected]. Our dedicated Information Security team is committed to addressing your security concerns promptly and thoroughly.
How can I get support for other issues?
Our support team is available 24/7 via our chat feature. For order-related issues, use the "Report a problem" feature on the relevant order page. Help Center