Trust Center
Security
Frequently asked questions about how Walma AI protects your data and meets regulatory requirements.
All data is stored within the European Union. Our primary infrastructure runs on Microsoft Azure in the Sweden Central region (Stockholm). Our database services are hosted by Supabase in Sweden. No data is transferred outside the EU/EEA.
Yes. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Database backups are also encrypted. Encryption keys are managed through Azure Key Vault with automatic key rotation.
Yes. We provide a GDPR-compliant Data Processing Agreement to all customers. Our DPA covers data processing purposes, security measures, sub-processor management, data subject rights, and breach notification procedures. Contact us at info@walma.ai to request a copy.
We are fully committed to GDPR compliance. This includes: data minimization — we only collect data necessary for service delivery; purpose limitation — data is processed only for specified purposes; EU data residency — all data stays within the EU; data subject rights — we support access, rectification, erasure, and portability requests; DPAs with all subprocessors; and regular security assessments.
We monitor and align our AI systems with the requirements of the EU AI Act. This includes maintaining transparency about how our AI models process data, documenting AI system capabilities and limitations, implementing human oversight mechanisms, conducting risk assessments for AI-driven features, and ensuring non-discriminatory AI outputs.
We maintain a documented incident response plan. In the event of a security incident: we aim to detect and assess the incident within hours; affected customers are notified within 72 hours as required by GDPR; the relevant data protection authority is notified where required; a root cause analysis is conducted; and remediation measures are implemented and documented.
We implement strict access controls including: role-based access control (RBAC) for all internal systems; multi-factor authentication (MFA) required for all team members; principle of least privilege for system access; regular access reviews and audit logging; and secure authentication flows for customer-facing applications.
We retain customer data only for as long as necessary to provide our services. When a customer terminates their account, we delete their data within 30 days. Backups containing customer data are purged within 90 days. Anonymized and aggregated analytics data may be retained longer for service improvement purposes.