GDPR Compliance & Data Protection

GDPR compliance & data protection

GDPR & Data Protection

Your data stays yours. We build AI systems that respect privacy, comply with GDPR - data is processed in compliance with GDPR, we don't use your data to train models. This page is for companies implementing voicebots, chatbots, Document AI, generative AI, and custom systems - all solutions are designed as GDPR-native and compliant with European security standards.
GDPR compliance - data not used for training
DPA for every client
We don't use your data for training

Legal delays shouldn't stall automation.

Review our GDPR compliance approach, retention, and audit controls so your compliance team signs off fast and projects keep momentum.

Core Principles

Our GDPR Principles

How we process and protect your data

Data Processing Agreements (DPA)

We sign DPAs with all clients before any data processing. Clear roles: you're the Controller, we're the Processor. All obligations documented and legally binding.

No AI Training on Your Data

Your data is NEVER used to train AI models. We use OpenAI API, Anthropic API, or private models - all configured with zero-retention policies. Your conversations stay private. We use "no training / zero data retention" modes wherever possible - query data is not used to improve base models.

EU Data Residency

All data processed and stored in EU data centers (Frankfurt, Warsaw, Amsterdam). No data transfer to US or non-EU countries without explicit consent and adequate safeguards. For potential transfers, we apply appropriate safeguards such as Standard Contractual Clauses (SCC) and end-to-end encryption.

Encryption Everywhere

Data encrypted in transit (TLS 1.3) and at rest (AES-256). Database encryption, encrypted backups, encrypted logs. No plaintext storage.

Data Minimization

We collect only what's necessary. No tracking pixels, no analytics beyond essential metrics, no selling data to third parties. Ever.

Transparent Processing

You know exactly what data we process, why, and for how long. Full documentation provided. Audit logs available on request.

Security Measures

Technical & Organizational Measures

How we protect your data in practice

Access Controls

Role-based access control (RBAC), multi-factor authentication (MFA) for all team members, principle of least privilege. Only authorized personnel can access production systems.

Audit Logs

Complete audit trail of all data access and processing activities. Logs retained for 12 months, tamper-proof, available for inspection.

Secure Infrastructure

AWS/GCP infrastructure with SOC 2 Type II compliance. Private VPCs, network segmentation, DDoS protection, regular security audits. We follow security practices aligned with industry best standards, including ISO 27001 guidelines, OWASP, and CIS Benchmarks.

Data Retention Policies

Clear retention periods defined in DPA. Automatic data deletion after retention period ends. No 'forever' storage.

Incident Response Plan

Documented breach notification procedures. We notify you within 24 hours of discovering a breach (GDPR requires 72 hours for authorities). We also support clients in preparing notifications to supervisory authorities and in incident analysis, if required.

Regular Security Training

All team members trained on GDPR, data protection, and security best practices. Annual refresher courses.

Third-Party Audits

We work with GDPR-compliant subprocessors only (OpenAI, Anthropic, AWS, GCP). All subprocessors listed in DPA. The subprocessors list is updated regularly and shared with clients along with DPA documentation.

Pseudonymization & Anonymization

Where possible, we pseudonymize personal data. For analytics and testing, data is fully anonymized.

Your Rights

Your rights under GDPR

What you can do with your data

Right to Access

Request a copy of all personal data we hold about you. Provided in machine-readable format (JSON/CSV) within 30 days.

Right to Rectification

Correct inaccurate or incomplete personal data. We update it immediately.

Right to Erasure

Request deletion of your personal data ('right to be forgotten'). We delete within 30 days unless legal obligations require retention.

Right to Data Portability

Receive your data in structured, machine-readable format (JSON/CSV). Transfer it to another provider if you wish.

Right to restrict processing

Restrict processing of your personal data in certain circumstances (e.g., during dispute resolution).

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Questions About Data Protection?

Contact our Data Protection Officer for any GDPR-related questions, data subject requests, or privacy concerns.

privacy@syntalith.ai