Privacy & Compliance

How we protect your data within the Attic services.

Version 1.0 · 25 June 2026

The four safeguards

EU-only processing

Data and AI inference entirely within the EEA: Hetzner (DE + FI), Azure West Europe and AI inference in Sweden Central. No transfer outside the EEA.

No training on your data

Microsoft contractually guarantees that your prompts and responses train no AI model whatsoever. The model (Claude) runs at Microsoft; Anthropic receives no customer data.

Runtime-only processing

The language model processes your incident data only during the active analysis. No persistent storage, no memory between sessions, no profiling.

Isolated per customer

Access via delegated OAuth tokens, read-only and specific to your tenant. Cross-contamination between customers is technically rejected by the OAuth scope.

Where your data goes

  1. 1

    Microsoft 365

    Read-only via delegated OAuth, revocable via Entra ID

  2. 2

    Attic backend

    Assemble the context package

    ★ Hetzner · DE/FI
  3. 3

    AI inference

    Analysis, runtime-only

    ★ Azure · Sweden
  4. 4

    Verdict

    Remediation proposal back to the audit trail

  5. 5

    Your dashboard

    Execution only with your approval - explicit or pre-configured

Compliance & safeguards

GDPR-compliant

ISO/IEC 27001:2023 - certification in progress (Stage 2 audit Q4 2026)

Entirely within the EU/EEA - no transfer beyond it

Data breach notification ≤ 48 hours to you

Retention periods: IVON 30 days · monitoring 1 year · full deletion ≤ 37 days after termination

Data subject rights - response within 30 days

Privacy Statement

Version 1.0 (English edition) · 25 June 2026

English edition of the authoritative Dutch version 1.0; in the event of any discrepancy, the Dutch version prevails.