Compliance & Certifications
Frameworks and standards we adhere to
GDPR
ActiveFull compliance with EU General Data Protection Regulation
Swiss FADP
ActiveCompliant with Swiss Federal Act on Data Protection (revFADP 2023)
ISO 27001
ActiveInfrastructure hosted in ISO 27001 certified datacenters
EU AI Act
ActiveDesigned for compliance with EU Artificial Intelligence Act
SOC 2 Type II
RoadmapRoadmap Q3 2026 - Trust Services Criteria
HIPAA Ready
ActiveArchitecture designed for healthcare compliance
Security Documentation
Public reports and assessments
Privacy & Security Self-Assessment
Comprehensive overview of our security practices and controls (AS-2026-001)
Download PDFSecurity Policies
ISO 27001 Framework Alignment
All policies actively followed as part of our security program
| Policy | Category | Status |
|---|---|---|
| Data Protection Policy | Data Privacy | In Practice |
| Data Retention Policy | Data Privacy | In Practice |
| Information Classification and Handling Policy | Data Privacy | In Practice |
| Information Transfer Policy | Data Privacy | In Practice |
| Information Security Policy | Security | In Practice |
| Access Control Policy | Security | In Practice |
| Cryptographic Control and Encryption Policy | Security | In Practice |
| Cryptographic Key Management Policy | Security | In Practice |
| Network Security Management Policy | Security | In Practice |
| Physical and Environmental Security Policy | Security | In Practice |
| Malware and Antivirus Policy | Security | In Practice |
| Patch Management Policy | Security | In Practice |
| Asset Management Policy | Operations | In Practice |
| Change Management Policy | Operations | In Practice |
| Backup Policy | Operations | In Practice |
| Logging and Monitoring Policy | Operations | In Practice |
| Business Continuity Policy | Operations | In Practice |
| Incident Response and Evidence Collection Policy | Operations | In Practice |
| Secure Development Policy | Development | In Practice |
| Cloud Service Policy | Development | In Practice |
| Risk Management Policy | Governance | In Practice |
| Third Party Supplier Security Policy | Governance | In Practice |
| Continual Improvement Policy | Governance | In Practice |
| Document and Record Policy | Governance | In Practice |
| Intellectual Property Rights Policy | Governance | In Practice |
| Information Security Awareness and Training Policy | Personnel | In Practice |
| Acceptable Use Policy | Personnel | In Practice |
| Clear Desk and Clear Screen Policy | Personnel | In Practice |
| Mobile and Teleworking Policy | Personnel | In Practice |
29 policies aligned with ISO 27001:2022 framework
Product Security
Technical measures protecting your data
Encryption
TLS 1.3 in transit, AES-256 at rest. All data encrypted end-to-end.
Multi-Tenant Isolation
Complete data separation between customers with Row-Level Security.
Authentication
JWT-based auth with secure session management. OAuth 2.0 for integrations.
Audit Logging
Immutable audit trails for all actions. 90-day retention minimum.
Backup & Recovery
Daily automated backups with 30-day retention. Tested disaster recovery.
Monitoring
24/7 infrastructure monitoring. Automated alerting for anomalies.
Data Privacy
Your data, your control
Data Residency
All data hosted in Switzerland and EU. No transfers to third countries without explicit consent.
Data Retention
Configurable retention policies. Data deleted upon request within 30 days.
Data Subject Rights
Full support for access, rectification, erasure, and portability requests.
Consent Management
Granular consent controls with complete audit trail of all consent changes.
AI Governance
Responsible AI by design
AI Disclosure
Every AI interaction clearly identifies itself as artificial intelligence. No deceptive practices.
Training Data
We do not use customer data to train AI models. Your data remains yours.
Human Oversight
Transfer to human agent always available. AI handles routine tasks, humans handle exceptions.
Bias Prevention
Regular audits of AI outputs to prevent discriminatory or harmful responses.
Subprocessors
Third parties that process data on our behalf
Last updated: January 2026
| Subprocessor | Purpose | Location |
|---|---|---|
| Voice AI Provider | Conversational AI voice processing | EU (Frankfurt) |
| Stripe | Payment processing | EU (Ireland) |
| Google Cloud | Calendar integration, OAuth | EU (Belgium) |
| Resend | Transactional email delivery | USA |
| Hetzner | Primary infrastructure hosting | Germany |
| Cloudflare | CDN, DDoS protection, DNS | Global (EU preferred) |
| Sentry | Error tracking and monitoring | EU |
Security Contact
For security inquiries or to report vulnerabilities, contact our security team.
security@aiagens.chResponse within 24 hours for security matters.