GDPR Transparency Statement

We comply with the EU General Data Protection Regulation (EU 2016/679) (“GDPR”) and its fundamental principles. On this page you can find a summary of our internal compliance routines and our continuous work to secure GDPR compliance within Mentimeter.

Does Mentimeter transfer data outside of the EU/EEA?

We may transfer limited data to countries outside of the EU/EEA. Such transfers are either conducted under the provisions of the European Commission’s Standard Contractual Clauses as of 4 June 2021 or in accordance with a European Commission's adequacy decision and for the purposes stated in our Privacy Policy. A full list of the service providers that process our users’  data, along with details of their location, is available here. Our users' privacy is of utmost importance to us, and we do everything we can to ensure that all our sub-processors have implemented appropriate safeguards to protect the personal data they process on our behalf by for example having contractual obligations in place for them to process such data in compliance with applicable data protection laws. 

Importantly, we only use processors to the extent necessary to enable us to provide the best services possible, and we never have and will never sell any personal data to third parties.

What supplementary measures has Mentimeter implemented to safeguard data processed outside the EU/EEA?

We are committed to ensuring that both our customers and users feel safe with respect to our processing of personal data. To that end, we have implemented technical, contractual, and organizational measures to ensure that any transfer of personal data of EU citizens outside of the EU is handled securely. Below is a non-exhaustive overview of the actions taken:

Technical measures


We use standard TLS >=1.2, ie. Encryption of data "in transit” is rated A+ by 3rd party vendor, SSL Labs. We encrypt all data "at rest" (including AES 256-bit encryption) and get powerful and automatic protection through our database provider.

To read more about our technical measures, please visit

Hosting in the EU

Data at rest is hosted on physical servers in the EU (Ireland) as a default.

Contractual measures

  • We have entered into the 2021 SCCs with our sub-processors and have ensured that all agreements are updated accordingly.
  • Our sub-processors are obliged by written data processing agreements to, in all material respects, comply with corresponding obligations to those that we have towards our customers, as well as acknowledge our code of conduct. 
  • We have ensured that neither we nor any of our sub-processors use the EU-US Privacy Shield as a transfer mechanism.

Organizational measures 

  • We have carried out individual Transfer Impact Assessments (TIAs) on all our sub-processors that transfer personal data outside the EU/EEA. The TIAs concluded that the risks associated with the relevant sub-processors are low and that our sub-processors are committed to implementing supplementary measures to protect the personal data processed. 
  • We conduct a thorough review (including documenting TIAs) to ensure that any new sub-processor meets our requirements for preserving and protecting our customers’ and users’ data.
  • We have rigorous routines to ensure that any potential third-country transfers are lawful and carried out with the minimum risk of disclosure to public authorities in third countries. These routines form an integral part of Mentimeter’s general procurement process.     
  • We continuously evaluate our sub-processors to ensure that any transfer of personal data meets our information security management requirements. If our review shows a lack of compliance, we aim to replace such sub-processors to ensure we can uphold a satisfactory level of information security management.
  • Mentimeter’s first choice is always EU-based service providers when procuring new services, solutions, or systems. Mentimeter will only employ a third-country service provider if no EU service, solution, or system fulfills our operational requirements.

Our security measures

We do our very best to ensure that the data we process is securely handled, with our customers’ and users’ integrity in focus. For example, we have implemented appropriate technical and organizational measures to ensure we can assist our users and customers in fulfilling any obligations to respond to requests for exercising the data subject’s rights, in accordance with Chapter III of the GDPR. 

Further, as an ISO 27001 (ISMS) certified company our processes and systems meet the highest industry standards. We are also exploring the possibility of independently managed encryption keys.

Vendor Management 

We always conduct an in-depth assessment when onboarding new service providers. Our service providers must have sufficient technical and organizational security measures, comply with applicable laws, regulations, and security requirements, and sufficiently safeguard the integrity, security, and privacy of Mentimeter and its users’ and customers’ data.

Data Protection 

Mentimeter hosts data with Heroku (platform as a service) and AWS (Amazon Web Services) (infrastructure as a service). Data at rest resides on AWS physical servers within the EU (Ireland) as a default for all customers. Data is replicated across multiple availability zones (within your hosting region) for redundancy and disaster recovery. We adhere to the following processes to secure customer data:  

  • data is handled and protected according to its classification requirements and following approved encryption standards, together with security controls, (authentication, authorization, data encryption, and auditing, as applicable);
  • controls are designed to protect customer data from improper alteration or destruction;
  • confidential data is stored in a manner that supports automated monitoring for potential security incidents; and
  • production systems have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and annual penetration testing performed by independent third-party cybersecurity experts, as applicable.

Risk Assessment

Every year, we conduct an organization-wide collective risk assessment to identify, evaluate, and manage risks within the business. The risk assessment includes controlling activities to ensure that the company has established a satisfactory level of compliance.

Information Security 

Our policy workflow minimizes information misuse, compromise, or loss, by; 

  • documenting security processes and measures; 
  • upholding ethical standards; and
  • ensuring we can abide by meeting our regulatory, legal, contractual, and any other applicable obligations.

Data Deletion

We have data deletion procedures in place to ensure the shortest possible retention periods required to fulfill the purposes of collection. Data is deleted when it’s no longer required to fulfill the particular purpose of collection (unless a longer retention period is required by law).

You have rights!

We promise to accommodate your rights and assist you with any inquiries you may have with a swift response. To read more about how to exercise your rights, please visit Your Rights.

Contact us 

We are always available to answer any general questions and considerations that you might have concerning the above, please do not hesitate to contact us at [email protected].