Legal and compliance FAQ

Yes. Alvas.ai operates under the EU General Data Protection Regulation (GDPR). You can see more details in our Privacy Regulation Compliance document. We also provide a Data Processing Addendum to meet GDPR requirements.

Absolutely. Our standard DPA outlines how we handle personal data on our customers' behalf, addressing GDPR and related privacy obligations.

We rely on trusted third-party providers (e.g., cloud services, payment processors) to run Alvas.ai. When engaging third-party service providers, we ensure they are contractually bound to meet equivalent data protection standards. We list them publicly so you can see exactly who processes data and where. Subprocessors are split into two groups: 1. Subprocessors used for data about your customers/users – Alvas.ai is the Processor, and you (the customer) are the Controller under GDPR. 2. Subprocessors used for data about you (our customer) – Alvas.ai is the Controller of this data. Data About Your Customers/Users:

Yes. Security is our highest priority and is maintained through, among other measures, a layered approach: data in transit is protected via HTTPS/TLS, and data at rest is encrypted using strong standards (for example, AES-256). Access is strictly controlled and limited to authorized personnel only, ensuring that personal data is safeguarded from unauthorized disclosure or breaches.

All customer data is stored and processed strictly and securely within data centers located in the EU.

According to GDPR Article 22, individuals have the right not to be subject to decisions based solely on automated processing when such decisions produce legal or similarly significant effects. While automated techniques are used to personalize content, our system ensures that no automated decision-making significantly affects individuals' rights. In line with GDPR Article 4(4), any profiling we perform is strictly limited to enhancing the relevance of communications and does not result in any legal or significant personal consequences.

Our processes and infrastructure is designed to comply with GDPR and other applicable laws. We process data only on documented instructions, implement robust technical and organizational measures (e.g. encryption, multi-factor authentication, regular backups), and maintain detailed records of our processing activities

To date, no customer has requested a DPIA and based on our risk assessment and Art. 35 GDPR requirements, a DPIA is not necessary. Our AI services solely enhance the relevance of communications and do not involve automated decision-making that significantly affects individual rights, in line with Art. 22 GDPR. We continuously assess our risk profile and remain fully prepared to conduct a DPIA should future circumstances or customer concerns require it.

We take data ethics very seriously. Our approach ensures that individuals retain control over their personal data, and we commit to transparency regarding how data is used. Importantly, we never sell data or use it for purposes beyond the scope of our documented services.

Currently, we do not hold formal certifications such as ISO 27001 or SOC 2. However, we implement industry-standard security practices and maintain robust security measures to protect customer data. Our security infrastructure and processes are designed to meet or exceed industry best practices. We plan to achieve formal certifications in the near future.

In the unlikely event of a data breach, we follow a comprehensive incident response plan in line with GDPR requirements. We will notify affected customers and relevant supervisory authorities with no undue delay within 72 hours of becoming aware of the breach, providing detailed information about the incident and our mitigation measures.

Under GDPR, you have several fundamental rights regarding your personal data: the right to access your data, rectify incorrect information, request erasure ('right to be forgotten'), restrict processing, data portability, and object to processing. You can exercise these rights at any time by contacting us. We will respond to your request promptly and within 30 days, as required by GDPR.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal obligations. For active customers, this means as long as you maintain an account with us. After account deletion, we retain certain data for a limited period (typically 30 days) to handle any immediate concerns, after which it is securely deleted. Some anonymized statistical data may be kept longer for analytical purposes.

If you have more questions about privacy, compliance, or security, email us at marius@alvas.ai.