Trust & Security

Your data.
Our responsibility.

Datafy runs on your revenue, cost and media data: information you do not hand to a vendor lightly. That is why the platform is built on strict separation of customer data, European hosting and the principle that your data is used only for your model. This page sets out how that works, and what your security team can request from us.

The basics

Six principles, no fine print

European hosting

All data is stored in data centres within the EU and does not leave the EU. No transfer to countries outside the European Economic Area.

Data isolation per customer

Each customer has its own, separated database environment. Your data is never mixed with that of other customers and never used to improve anyone else's models.

Encrypted, in transit and at rest

Traffic runs exclusively over TLS; stored data is encrypted. Access to production systems is limited to authorised engineers.

GDPR as the starting point

Datafy works with aggregated media and sales data, not personal profiles. A data processing agreement (DPA) is a standard part of every contract.

Access management & logging

Roles and permissions per user, and logging of access. You decide who in your organisation sees what.

No data trading

Your data is not sold, not shared with third parties and not used for benchmarks without your explicit consent. Full stop.

Traceability

Every decision and every AI action: recorded

01. Decision threads

From recommendation to measured effect, per decision

Every decision has its own thread: who decided what, when, on the basis of which recommendation, and what it actually delivered 2 to 4 weeks later. The full decision log is searchable, recoverable and exportable. No after-the-fact debates about who changed what and why.

02. AI audit log

The AI assistant leaves a full trail too

Every action of the AI assistant (every query, every recommendation, every change) is logged with user, timestamp, status and trace ID. Arguments are stored as a hash (no PII), with 365 days retention. Your security team can inspect the log itself; denied actions are just as visible as executed ones.

For your security team

Documentation on request

Is a vendor assessment or RFP under way at your organisation? This is ready for your security and privacy team:

Architecture description

How the environments are separated, where data is stored and how the data flow runs, from delivery to model.

Data processing agreement

Standard DPA template including an overview of sub-processors and retention periods.

Security questionnaires

We complete your own vendor assessment (SIG, CAIQ or custom) within five working days.

Trust & Security

Questions from your security team?

Request the security documentation or book a conversation straight away in which we answer your DPA and architecture questions.