← Back to blog
    GDPRComplianceVendor selection

    GDPR-Compliant Marketing Automation: A Buyer's Checklist

    By DBautopost Team · 5 March 2026 · 7 min read

    Procuring a marketing automation tool in the EU is no longer just a feature comparison. Legal exposure scales with the wrong vendor.

    The 12 questions

    1. Where exactly is customer data stored — region and country?
    2. Do you offer a GDPR-compliant DPA out of the box?
    3. List your subprocessors and their regions.
    4. Do you train any AI models on customer content?
    5. Encryption standards in transit and at rest?
    6. How do you handle data subject access requests (timeline)?
    7. Are auth tokens for connected social accounts isolated?
    8. What is your incident notification SLA?
    9. Can I export all data on demand?
    10. Retention policy after account deletion?
    11. SOC 2 / ISO 27001 status?
    12. EU-based support and legal entity?

    If a vendor cannot answer all twelve clearly, walk away. The cheap stack becomes very expensive when a regulator calls.