Verdaio operates on EU-hosted infrastructure, processes the minimum data required, and documents every processor, control, and commitment below. If your procurement team needs something, it is probably here. Otherwise, ask at privacy@verdaio.ai.
Structured questionnaires collect company-level business data: sector, size, policies, and practices. No sensitive personal data is required.
Your answers are sent to Claude (by Anthropic, hosted on Amazon Bedrock in EU) for analysis. Processing is ephemeral: inputs are not stored by Verdaio and are not used for model training.
A structured compliance report is generated and a secure download link is delivered to your email. Reports are stored temporarily (up to 48 hours) for download, then automatically deleted.
Form data submitted over TLS 1.2+ encrypted connection.
Serverless Lambda processes your request in eu-west-1. No persistent servers.
Claude model hosted in eu-west-1. Ephemeral processing. No data stored. No model training.
Secure download link delivered via email. Report auto-deleted after 48 hours.
All infrastructure runs in AWS eu-west-1 (Ireland) and Supabase eu-central-2 (Switzerland). Your data stays in the EU.
TLS 1.2+ for all data in transit. AES-256 encryption at rest. Row-Level Security on all database tables.
Assessment inputs are processed and discarded. AI-generated reports are stored temporarily (up to 48 hours) for download, then automatically deleted.
We use Plausible Analytics, an EU-hosted, open-source analytics tool that uses no cookies and collects no personal data. No analytics information is stored on your device.
All AI-generated reports clearly disclose that they are produced by AI (Claude by Anthropic, hosted in EU via Amazon Bedrock) and do not constitute legal advice. EU AI Act Art. 50 compliant.
Privacy by design. Data minimization. DPAs with all sub-processors. Transfer Impact Assessment documented for all non-EEA transfers.
Every category of data we process, the provider that hosts it, the region it sits in, and how long it is retained. For the authoritative version see our ROPA.
| Data category | Provider | Region | Retention |
|---|---|---|---|
| Account authentication (email, hashed password) | Supabase | Zurich (Switzerland, EU adequacy) | Until account deletion |
| Subscription + single-purchase records | Supabase | Zurich (Switzerland, EU adequacy) | Until deletion; invoice link retained 10 years (PT fiscal law) |
| AI-generated reports | AWS S3 | Ireland (EU) | 48 hours, then auto-deleted |
| Server access logs | AWS CloudWatch | Ireland (EU) | 90 days (security) |
| CDN edge access logs | AWS CloudFront | N/A | Not captured (data minimisation, since 2026-04-10) |
| Transactional email (report links, notifications) | Brevo (Sendinblue SAS) | France + Germany + GCP Belgium (EU) | 100 days (Brevo default) |
| Invoices + credit notes | InvoiceXpress | Portugal (EU) | 10 years (CIRC Art. 123, DL 28/2019) |
| Payment records | Stripe | Ireland (EU primary) + United States (SCCs + DPF) | Per Stripe retention policy |
| Website analytics (cookieless, aggregated) | Plausible | Estonia (EU) | Aggregated indefinitely; no individual-level data |
| Controller inbox (privacy@, support@, legal@) | Google Workspace | United States (SCCs + DPF) | Per mailbox settings |
Full data-category map and lawful bases documented in our ROPA.
Verdaio reports are generated by an AI model. Because we sell compliance, we document the AI layer to the same standard we expect from the companies we assess.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting, compute, AI compliance analysis (Amazon Bedrock, Claude model) | Ireland (EU) |
| Supabase | Database and authentication | Switzerland (EU adequacy) |
| Stripe | Payment processing | Ireland (EU, primary) + United States (SCCs + DPF) |
| Brevo (Sendinblue SAS) | Transactional email | France (EU) |
| Google Workspace | Controller inbox hosting (@verdaio.ai email) | United States (SCCs + DPF) |
| Plausible | Privacy-first analytics | Estonia (EU) |
| InvoiceXpress | Invoice generation | Portugal (EU) |
For full legal details, see our Data Processing Agreement.
| Category | Duration | Lawful basis |
|---|---|---|
| User accounts | Until deletion | Contract (Art. 6(1)(b)) |
| AI-generated reports | 48 hours, then auto-deleted | Contract + minimisation (Art. 5(1)(e)) |
| Assessment inputs | Not retained (processed ephemerally) | Data minimisation (Art. 5(1)(c)) |
| Invoices + credit notes | 10 years | Legal obligation (CIRC Art. 123, DL 28/2019) |
| Server access logs (CloudWatch) | 90 days | Legitimate interest (Recital 49, security) |
| Transactional email logs (Brevo) | 100 days | Processor default; legitimate interest (deliverability) |
| Website analytics | Aggregated indefinitely; no individual data | Not personal data |
| Consent records | Until account deletion + 3 years | Accountability (Art. 7(1)) |
| Breach notification records | 3 years | Accountability (Art. 33(5)) |
Full policy in Privacy Policy ยง7. Internal retention procedure documented in DATA-RETENTION-POLICY and available under NDA.
| Area | Status |
|---|---|
| Data Protection Officer | Not required under GDPR Art. 37 (we are not a public authority, we do not perform large-scale systematic monitoring, and we do not process special categories of data at large scale). Analysis documented in our ROPA and available on request. |
| Data Protection Impact Assessment | Necessity analysis completed under GDPR Art. 35(3); no DPIA required at current scope. Analysis documented in our DPIA necessity assessment and available on request. |
| Incident response | CNPD notification within 72 hours under Art. 33 GDPR. Enterprise customers notified within 48 hours per DPA. Full runbook maintained internally and available under NDA for enterprise due diligence. |
For access to any of the above artefacts, email privacy@verdaio.ai.
No security incident affecting customer personal data has occurred since Verdaio launched in 2026.
One internal credential-handling incident is on record: on 2026-04-14 the deploy script briefly printed provider API keys (Brevo, Anthropic) to its own output stream during a routine Lambda redeploy. No customer data was exposed, no external access attempt was detected in the rotation window, and the affected keys were rotated the same day. The deploy script was patched to suppress secret fields on the same day.
If a qualifying breach ever occurs, we will post a detailed postmortem on this page within 72 hours of CNPD notification under GDPR Art. 33. Enterprise customers are notified within 48 hours per our DPA, with or without a CNPD filing.
Verdaio is a sole-operator EU SaaS. We do not currently hold ISO 27001 or SOC 2 certifications; at this scale the overhead outweighs the benefit versus a documented controls pack. Our Technical and Organisational Measures (TOMs) per GDPR Art. 32 are fully documented and available under NDA for enterprise due diligence.