Your compliance data is sensitive. Here is exactly how we protect it.
Your data is hosted on Supabase (powered by AWS) in the eu-central-1 region (Frankfurt, Germany). All primary data storage remains within the European Union.
Provider
Supabase (AWS infrastructure)
Region
eu-central-1 (Frankfurt, Germany)
Data Residency
European Union
All data is encrypted both in transit and at rest using industry-standard protocols.
TLS 1.3 — all connections to AktAI are encrypted using the latest Transport Layer Security protocol.
AES-256 — all stored data is encrypted using 256-bit Advanced Encryption Standard.
We implement multiple layers of access control to ensure your data is only accessible to authorized users.
Every database query is enforced at the PostgreSQL level to ensure organizations can only access their own data. This is not application-level filtering — it is database-level isolation.
Team members are assigned roles (Owner, Admin, Member) with granular permissions. Only owners and admins can manage organization settings and team members.
Secure authentication via Supabase Auth with support for email/password and Google OAuth. Sessions are managed with secure, httpOnly cookies.
AktAI is designed with GDPR compliance at its core. As a European company processing data of European businesses, we take data protection seriously.
Lawful basis for processing (contract performance, legitimate interest, consent)
Data minimization — we only collect what is necessary for the service
Right to access, rectify, and delete your data
Data portability — export your data at any time
Data protection practices reviewed regularly
Privacy by design and by default in all features
We use the following third-party services to deliver AktAI. Each is bound by a data processing agreement.
| Service | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database & Authentication | EU (Frankfurt) | EU data residency |
| Anthropic | AI Generation (Claude) | US | SCCs + DPA |
| OpenAI | Text Embeddings | US | SCCs + DPA |
| Stripe | Payment Processing | US / EU | SCCs, PCI DSS Level 1 |
| Resend | Transactional Email | US | SCCs |
| Vercel | Application Hosting | US / EU | SCCs |
We retain your data only as long as necessary to provide our services or as required by law.
Account data — retained while active, deleted 30 days after account deletion
Compliance data — retained while subscription is active, deleted 90 days after cancellation
Analytics data — retained for up to 26 months
Payment records — retained for 7 years per Norwegian accounting law
You can request deletion of all your personal data at any time by contacting support@aktai.eu. We will process your request within 30 days and provide written confirmation of deletion. Some data may be retained where required by law (e.g., financial records).
We provide a comprehensive Data Processing Agreement that details our obligations as a data processor.
View our full DPAWe maintain a documented incident response process to handle any security events promptly.
Detection — Automated monitoring and alerting for security anomalies
Containment — Immediate isolation and mitigation of affected systems
Notification — Affected customers notified within 72 hours per GDPR Article 33
Remediation — Root cause analysis and preventive measures implemented
Reporting — Full incident report provided to affected parties
If you have questions about our security practices or need additional information for your procurement process, please contact us.