SECURITY & PRIVACY

Your data never leaves Europe.

A technical page for IT leads, DPOs and lawyers. All the architecture, all the certifications, all the subprocessors.

🇪🇺

EU infrastructure

Redundant hosting on AWS Madrid and Frankfurt.

AES-256 ENCRYPTED
🧠

Proprietary EU models

Advanced NLP in Spanish, running on dedicated GPUs inside the EEA.

DEDICATED GPUs
🛡️

EU-resident AI

Claude via AWS Bedrock EU, processing only anonymised PII.

BEDROCK EU
🚫

No training

Your contracts stay private. They are never used to train any model.

ZERO TRAINING

Data flow and architecture

upload_file 1. Upload
south
storage 2. Storage
south
memory 3. Processing
south
neurology 4. GenAI
south
check_circle 5. Result

Subprocessors

ProviderCountryPurposeDPA
AWSSpain (EU-South-2)Cloud hosting & infrastructurecheck_circle
AnthropicFrance (via AWS Bedrock)LLM models (Claude 3.5 Sonnet)check_circle
HetznerGermanySecondary backups & logscheck_circle
ResendIreland (EU region)Transactional notificationscheck_circle
StripeIreland (EU region)Payment gatewaycheck_circle
CloudflareGlobal (EU edge)WAF & DDoS protectioncheck_circle
See full Data Processing Agreement (DPA) open_in_new

Certifications & compliance

GDPR / RGPD

Full guarantee of data subject rights and privacy by design.

COMPLIANT

LOPDGDD

Aligned with Spanish data protection regulation.

COMPLIANT

AEPD

Following the agency's guidelines for AI and cloud computing.

RECURRING

ISO 27001

Information Security Management System (ISMS).

IN PROGRESS

SOC 2 Type II

Independent audit of security and availability controls.

PLANNED

Pen testing

Annual external penetration tests and after major changes.

RECURRING

PII handling

Our tokenisation system ensures generative AI never processes real names, addresses or ID numbers without anonymising them first.

  1. 1
    Entity detection

    Our NLP models identify People, Organisations and Locations.

  2. 2
    Pseudo-token generation

    A unique temporary identifier is assigned (e.g. [PERSON_1]).

  3. 3
    Sent to GenAI

    Only the anonymised text travels to the AI engine.

  4. 4
    Data re-hydration

    The AI output is mapped back to the original data locally.

  5. 5
    Ephemeral memory wipe

    The mapping table is destroyed at the end of the user session.

PII_PROTECTION_DEBUG.LOG
// ORIGINAL_TEXT

"Mr Juan García, with ID 12345678Z, representative of Tech Solutions S.L. domiciled at Calle Mayor 1, Madrid..."

// ANONYMIZED_PAYLOAD_SENT_TO_LLM

"The [PERSON_1], with [ID_DOCUMENT_1], representative of [ORG_1] domiciled at [ADDRESS_1]..."

[SYSTEM]: PII data removed before transit to subprocessor.
[SYSTEM]: TLS 1.3 encryption active.
gavel

Data Protection Officer

For any technical question about our security architecture or to exercise your GDPR rights, you can reach our compliance office.

DIRECT EMAIL

dpo@clausula.io

RESPONSE TIME

< 48 business hours

Request GDPR rights