Your data. EU-only. Short-lived. Never seen.

The data controller for all personal data processed through Aileth is:

We do not use your documentation for model training, benchmarking, or any purpose beyond delivering the service described in your subscription.

• Performance of a contract (Art. 6(1)(b) GDPR) — Processing your account data and uploaded documents is necessary to deliver the compliance analysis service you have subscribed to.
• Legitimate interests (Art. 6(1)(f) GDPR) — Retaining minimal usage logs for a short period to detect abuse and ensure service integrity.

We do not rely on consent as a legal basis for the core service. If we were to process your data for any other purpose, we would seek explicit consent before doing so.

This is a deliberate architectural choice, not just a policy commitment. Aileth analyses your compliance documentation automatically — no human ever reads, reviews, or has access to what you upload.

• No human review — document analysis is fully automated. Aileth staff do not read, annotate, or moderate your content.
• No privileged access tooling — there is no internal admin interface that grants staff access to customer document content.
• Client-controlled encryption — documents are encrypted with a password you set yourself on first login, along with a recovery key that only you hold. Aileth never has access to your encryption password. Even with full infrastructure access, the stored data cannot be decrypted without it.
• Access logs contain no content — operational logs record timestamps and metadata (file size, document type) but never document contents.

If you contact support, we can see basic account metadata from the authentication system: whether your account exists, is active, and when you last logged in. We cannot see your documents, reports, or the number of files you have uploaded — those are stored encrypted in your tenant storage and are indistinguishable to us.

Aileth applies a short and strict retention policy. We keep your data for as long as strictly necessary to deliver the service — and no longer.

You may request early deletion of all your data at any time by contacting privacy@aileth.eu. We will complete the deletion within 5 business days and confirm in writing.

All processing happens within a single EU datacenter. The diagram below shows every stage a document passes through from upload to deletion.

Your documents are never sent to US-based AI providers (no OpenAI, no Anthropic, no Google). Analysis runs via Scaleway's generative AI infrastructure — EU-hosted, and subject to the same data residency commitments as the rest of the service.

• Encryption in transit — All communication is encrypted via TLS 1.3. No unencrypted HTTP is accepted.
• Client-controlled encryption at rest — on first login you set a personal encryption password and receive a recovery key. Your documents are encrypted with that password before storage. Aileth never holds your encryption key — meaning the data cannot be decrypted even by us.
• Tenant isolation — Each client's data is stored in a separate namespace in the vector database. Cross-tenant access is architecturally prevented at the API layer.
• Authentication — All access requires authentication via Keycloak SSO. JSON Web Tokens are short-lived and validated on every request.
• Network policy — The application cluster enforces Kubernetes NetworkPolicy: internal services are not reachable from the public internet except through the authenticated API.
• EU-only infrastructure — No data is processed or stored outside the European Union. Infrastructure runs on Scaleway (Paris datacenter), a French cloud provider not subject to US CLOUD Act jurisdiction.

As a data subject under GDPR, you have the following rights. To exercise any of them, contact privacy@aileth.eu. We will respond within 30 days.

If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Aileth is a computationally intensive service. Each gap analysis involves AI processing of your documentation — a process that carries real infrastructure cost. Our subscription pricing reflects typical usage by an organisation conducting a genuine ISO 27001 audit preparation.

Normal use includes uploading documentation as it is produced or updated, running analyses when your documentation set changes materially, and re-analysing individual controls as you address identified gaps.

If your organisation requires a higher processing volume — for example, managing multiple subsidiaries or running continuous compliance monitoring — please contact us at info@aileth.eu to discuss an appropriate arrangement.

We reserve the right to impose rate limits or suspend access for accounts showing patterns of systematic abuse. We will always notify an account holder before suspension except in cases of egregious abuse.

For all questions about this policy, data subject requests, or privacy concerns:

This policy was last updated in April 2026. We will notify active subscribers of any material changes at least 30 days before they take effect.