Validio

Security · Compliance

Your data, protected. Your business, compliant.

Validio was built on GDPR and EU AI Act 2026 requirements from the first commit. No hidden clauses, no transfers outside the EU for regulated data, no third parties retaining your logs. This page spells out exactly what we do with your information.

Request DPASee the breakdown

GDPR

EU Regulation 2016/679 — implemented, not decorated

Every processing operation has a documented legal basis, the right to erasure is a real endpoint, and the DPA is available under NDA for Agency clients.

  • Legal basis per operation

    Legitimate interest for public market analysis, contract performance to process your organization's data and explicit consent for any profiling involving PII. Each case is logged in our record of processing activities (Art. 30).

  • Functional right to erasure

    The DELETE /api/v1/data-subjects/:id endpoint cascade-removes jobs, agent_tasks, logs and agent memories. Maximum deadline: 30 calendar days (Art. 17). It's not a marketing promise — it's production code.

  • DPA available under NDA

    For Agency and White-Label plans we sign a Data Processing Agreement based on the European Commission's standard contractual clauses. Email us and you'll have it back in under 48 business hours.

EU AI Act 2026

Classification: Limited Risk (Art. 6)

Validio supports business decisions through recommendations presented to humans. It does not automate employment, credit or service-access decisions — that places it outside the High Risk regime.

  • Mandatory transparency met

    Every analysis explicitly indicates that the content is AI-generated. The end user always knows they are interacting with Claude Sonnet agents, not a human consultant.

  • Automated-decision traceability

    Each pipeline agent (Lead Qualifier, Business Analyzer, ROI Calculator, etc.) writes a structured record of input, output and duration to agent_tasks. Any recommendation is auditable down to the prompt that produced it.

  • Local auditing, no third parties

    Compliance logs are written directly to our own database (Supabase EU). Sending audit logs or agent memory to third-party SaaS is forbidden — the erasure policy stays under Validio's control at all times.

Encryption

Three layers: in transit, at rest, secrets

Nothing travels in cleartext, nothing is stored in cleartext, nothing leaks into logs. Defense-in-depth applied to the entire stack.

  • TLS 1.3 in transit

    All communication between frontend, backend, agents and external providers travels over TLS 1.3 (TLS 1.2 as minimum accepted). Plain HTTP is rejected at every production endpoint.

  • AES-256-GCM for tokens

    OAuth tokens for Google Search Console / GA4 and BYOK API keys are encrypted with AES-256-GCM before persistence. The master key lives only as a Railway environment variable — never in source or logs.

  • Supabase encryption at rest

    The entire PostgreSQL database and Cloudflare R2 buckets encrypt content at rest natively. Backups included. No external tables, no replicas outside our control.

Data residency

European data on European infrastructure

For any data classified as regulated there is no transfer outside the European Union. Period.

  • Supabase EU-West (Frankfurt)

    The full PostgreSQL database —jobs, agent_tasks, user_profiles, credits, integrations— lives in Supabase's European region. No data crosses the Atlantic.

  • Cloudflare R2 — EU bucket

    Generated HTML and PDF reports are stored in R2 with a European location hint. Files are served via signed, short-lived URLs (not public by default).

  • No transfers outside the EU

    Validio does not route regulated data (EU citizen PII, internal client content) toward external LLM providers without prior classification. For those cases the private module on our own VPC takes over.

Auditing

Structured logs, short retention, zero PII

EU AI Act traceability is achieved without retaining personal data. Every event is a structured JSON with auditable fields — not a text dump with emails inside.

  • Structured events

    All logs follow a JSON schema with fixed fields (event, job_id, user_id, duration_ms, …). Greppable, aggregable and PII-free by design. Event catalog documented internally.

  • 90-day retention by default

    Operational logs rotate after 90 days unless a specific legal obligation applies. Compliance records required by the EU AI Act are kept for the legal minimum (10 years for the documented-decisions module).

  • Sentry with PII scrubber

    The Sentry SDK (frontend and backend) ships a before_send hook that strips emails, phone numbers, NIF, tokens and auth headers before any event is uploaded. Verified through automated tests.

Subprocessors

Four providers, declared purposes

Complete list of companies with access to data processed by Validio. Minimum necessary, with a documented purpose for each one.

  • Anthropic

    LLM inference (Claude Sonnet 4.6 + Haiku 4.5) for the pipeline agents.

    Only public analysis data (URL, business description, publicly scraped content). Zero EU citizen PII.

  • OpenAI

    Embeddings (text-embedding-3-small) for the semantic search engine of Lupin's knowledge base.

    Chunks of Validio's internal documentation (not client content). No PII in any case.

  • Stripe

    Payment processing, subscriptions and billing.

    Data strictly required for the transaction: email, name, billing address. Card data never touches Validio's servers (PCI-DSS managed by Stripe).

  • Resend

    Transactional email delivery (confirmations, alerts, reports).

    Recipient email and message content. No tracking pixels, no profile enrichment.

Compliance roadmap

What we already cover and what's next

Current status of each regulatory framework. Future certifications are stated goals, not contractual commitments — timelines may shift with planning.

  1. Implemented

    GDPR · EU Regulation 2016/679

    Documented legal basis, functional right to erasure, DPA available under NDA.

  2. Compliant

    EU AI Act 2026 · Limited Risk

    Mandatory transparency, decision traceability and local auditing with no third parties.

  3. Audit planned

    ISO/IEC 27001

    Information Security Management System under review with an external auditor. No public date confirmed.

  4. Under evaluation

    SOC 2 Type 1

    Security controls framework oriented to the English-speaking market. Currently under feasibility and cost-benefit analysis.

Legal support

Does your legal team need the DPA before signing?

Email support@seo-invoke.com with your organization's domain and we'll send the Data Processing Agreement under NDA in under 48 business hours.

Request DPA by emailSee Agency plans