Privacy is not an add-on.
It is the foundation.
Aficial is built for privacy-sensitive business operations from the ground up. EU hosting, one-click DPA, a complete subprocessor list and automatic PII redaction before every AI call. Included by default, without an enterprise plan.
Hosting
EU regions
Supabase West EU/Ireland + Vercel fra1
Encryption
TLS 1.2+ in transit
AES-256 at rest
AI training
No use for model training
Under commercial provider terms
The path of a customer email
Every request moves through five steps, from inbox to reply. At each point we control what the AI can see and where the data goes.
- 1
Customer writes an email
A customer email arrives in the organization inbox (Gmail, Outlook or IMAP). Aficial reads it through OAuth or IMAP.
- 2
PII redaction before AI processing
Before any text reaches the AI, credit cards, IBANs, phone numbers and ID numbers are masked automatically. The AI never sees that data.
- 3
AI processing without model training
The redacted content is sent to Anthropic Claude. Commercial API content is not used for model training under provider terms; retention and DPA evidence is tracked in the legal gate.
- 4
Draft reply in the EU
The AI reply is stored in the Aficial database (Supabase West EU/Ireland). The backend decides whether it can be sent or needs human review.
- 5
Send and audit trail
The reply leaves Aficial only through the original mailbox provider. Every step is recorded in a structured audit log with timestamp, actor and reason.
Subprocessors
Complete list of third parties involved in processing. DPA and transfer-basis evidence is tracked in the approval records; each provider is named in the Aficial DPA.
Supabase Inc.
Database hosting and authentication
Location: West EU (Ireland), region eu-west-1
Processed data: Customer data, email metadata, configuration, audit log
Anthropic PBC
AI model provider (Claude)
Location: USA — protected through Standard Contractual Clauses under GDPR Art. 46(2)(c); Anthropic is not certified under the EU-US Data Privacy Framework
Processed data: Redacted email content for AI processing; no model-training use under commercial terms
Vercel Inc.
Hosting and edge delivery
Location: Frankfurt (fra1 region) for compute, global CDN for static assets
Processed data: Request logs and static assets (no access to customer data)
Resend Inc.
Transactional email delivery (notifications, not customer contact)
Location: USA — SCCs
Processed data: System notifications only (billing, password resets)
Stripe Payments Europe, Ltd.
Payment processing
Location: Ireland (EU)
Processed data: Billing data, not organization customer data
Upstash Inc.
Redis cache and rate limiting
Location: Frankfurt (EU region)
Processed data: Rate-limit counters and short-lived idempotency keys, no PII
Google LLC
OAuth/Gmail connection after consent
Location: EU/USA — SCCs and EU-US Data Privacy Framework
Processed data: Auth token, email address and mailbox data only after consent
Google LLC — Google Generative AI
Embedding generation for semantic search
Location: EU/USA — SCCs and EU-US Data Privacy Framework
Processed data: Knowledge-base text chunks and derived embeddings
Functional Software, Inc. (Sentry)
Error and crash reporting
Location: USA — SCCs
Processed data: Stack traces, technical metadata and pseudonymous IDs; no email content
Technical and organizational measures
Not every protection we run fits neatly into a DPA checklist. The same security foundation applies to all of them.
- Encryption for all data in transit (TLS 1.2+)
- Encryption at rest (AES-256 through Supabase)
- Role-based permissions with granular rights per team member
- Atomic email locking against duplicate processing and race conditions
- Automatic PII redaction before every AI call
- Layered protection against prompt injection, spam and phishing
- Structured audit log with actor, timestamp and before/after diff for every configuration change
- Rate limiting on every privileged endpoint
- Token validation against negative, NaN and absurdly high values
- Hallucination guardrails automatically block invented tracking numbers, prices or dates
Data subject rights
GDPR gives every data subject seven concrete rights. Aficial has a one-click workflow for each of them.
Access (Art. 15)
One click in the customer detail view generates a GDPR package with communication history and response templates.
Rectification (Art. 16)
Customer data can be edited from the customer view at any time.
Erasure (Art. 17)
Complete deletion of a data subject through the GDPR API endpoint. The audit log remains anonymized for legal documentation.
Restriction (Art. 18)
Processing for individual customers can be paused immediately.
Portability (Art. 20)
JSON export as part of the GDPR package.
Objection (Art. 21)
Per-customer opt-out from automated processing is available.
Complaint (Art. 77)
The responsible supervisory authority is linked from the legal notice.
Retention periods
- Customer communication: for the duration of the business relationship between you and the end customer
- After the business relationship ends: statutory retention periods under German commercial and tax law (6 years under HGB §257, 10 years under AO §147)
- Audit log: kept permanently, but automatically anonymized when GDPR Art. 17 erasure applies
- Usage logs (billing): 24 months
- AI processing at Anthropic: no model-training use under commercial provider terms; concrete retention follows the DPA/provider contract
Incident Response
When an incident happens, speed matters. Our process is aligned with GDPR Art. 33 and its 72-hour notification window.
Detection
Automated monitoring (Sentry, internal health checks) plus manual reports
Escalation
Within 4 hours to the data protection lead and company management
Notification
Affected customers and the responsible supervisory authority within 72 hours
Legal documents
Questions about privacy or compliance?
Data protection officers can contact us directly. We answer concrete DPA and compliance questions within 48 hours.
Updated: May 27, 2026 · All agent capabilities