Security & DPA
How we protect your data
We build and operate Valiido around the same information security standards we help our customers reach.
-
Strict tenant isolation
Every workspace is logically separated; the boundary is enforced server-side on every request.
-
Your data isn't repurposed
We don't use your content for advertising, profiling or AI training.
-
Data minimization by design
We collect and store only what's needed to run the service.
-
Encryption in transit
All connections to Valiido use TLS to current industry standards.
-
Encryption at rest
Data is encrypted at rest at the infrastructure layer.
-
Hardened admin access
Administrative access to production runs only over a private network with key-based authentication.
Subprocessors
We use a small number of third-party subprocessors to run Valiido. Each is bound by a written data processing agreement that extends GDPR safeguards to your data wherever it's processed. We give reasonable advance notice before adding or replacing a subprocessor.
- Hetzner – Hosting.
- Cloudflare – Web Application Firewall.
- Stripe – Payment processing.
- Postmark – Sending e-mails.
- Sentry – Error monitoring.
- Anthropic – AI features in AuditMagic.
- Google (Gemini) – AI features in AuditMagic.
- OpenAI – AI features in AuditMagic.
Data Processing Agreement (DPA)
This DPA is part of our Terms and Conditions. It applies whenever Valiido (Christopher Eller, Herderstraße 17, 64285 Darmstadt) processes personal data for a customer (you) as part of the Valiido service. You are the controller, we are the processor under Article 28 GDPR. In case of conflict on data protection matters, this DPA takes precedence over the Terms.
1. Definitions
- Personal Data: any information relating to an identified or identifiable person (Article 4 GDPR).
- Customer Data: the data you and your users put into Valiido.
- Data Protection Laws: the GDPR and any other data protection laws that apply to the processing.
- Subprocessor: any processor we engage to help deliver the Services.
- Standard Contractual Clauses (SCCs): the EU SCCs from Implementing Decision 2021/914.
2. Roles and instructions
You are the controller, we are the processor. We process personal data only to provide Valiido, on your documented instructions (Terms, this DPA, in-product settings), and in line with Data Protection Laws. We will tell you without undue delay if an instruction, in our view, breaks Data Protection Laws.
3. Subject matter, duration and purpose
The subject matter is providing Valiido to you. The DPA runs for as long as we process personal data on your behalf, typically the term of your subscription. We use personal data only to run the service: operating the application, support, transactional e-mails, billing, and the AI features in AuditMagic.
4. Categories of personal data
- Account data: names, business e-mail addresses and login credentials of your authorized users.
- Content data: anything you and your users put into Valiido (documents, tasks, risks, vendors, etc.), which may include personal data of your employees, contractors and others you reference.
- Usage data: IP addresses, device and browser information, activity logs.
- Billing data: billing e-mail address and subscription metadata.
5. Categories of data subjects
- Your authorized users.
- People referenced in your content, typically your employees, contractors, customers and suppliers.
6. Your responsibilities
- Have a valid lawful basis for the data you put into Valiido.
- Ensure the data is accurate and lawfully collected.
- Give the required notices to data subjects and obtain any required consents.
7. Our commitments
- We treat personal data as confidential.
- We do not sell personal data and do not use it for advertising or profiling.
- We do not try to re-identify pseudonymized or anonymized data.
- We do not share personal data outside our work for you. If a government asks for access we tell you when allowed, and we challenge inappropriate requests.
- We assist you to a reasonable extent with data protection impact assessments and consultations with supervisory authorities.
8. Personnel
People with access to your data are under written confidentiality obligations and only have access when they need it for the job.
9. Security
We apply the technical and organizational measures (TOMs) summarized at the top of this page. We will not materially decrease the security of the Services during your term. On reasonable request we share summary information about our security measures.
10. Personal data incidents
We notify you without undue delay after becoming aware of a personal data breach affecting your data, and work to identify the cause and contain it. This does not apply to incidents you or your users cause.
11. Data subject requests
If a data subject contacts us directly (access, rectification, erasure, restriction, portability, objection), we forward the request to you and do not reply without your instruction. If you cannot handle the request inside the product, we help to a reasonable extent.
12. Subprocessors
The subprocessors at the top of this page support us. Each has a written data processing agreement with us with terms at least as protective as this DPA.
13. International transfers
We host customer data in the EU. Where a subprocessor processes data outside the EU/EEA, the transfer is covered by an adequacy decision or by the EU SCCs (Article 46 GDPR), which form part of this DPA. By accepting our Terms you and we are deemed to sign the SCCs. The SCCs are governed by German law.
14. Return and deletion
When your subscription ends we return or delete personal data, except where law requires us to keep it. On request we confirm the deletion in writing.
15. Audits
You can verify our compliance by reading this page and sending us questions in writing. On-site audits are possible by prior arrangement, at reasonable intervals and at your cost.
16. Liability and changes
Liability is governed by our Terms. We may update this DPA when required by law or because the service changes. Material changes are announced in advance.
Last updated: 27 May 2026
Your ISMS for ISO® 27001 and TISAX®
Valiido bundles everything you need - policies, 1-Click examples, 10+ modules, and a guided path - into a single platform with unlimited support.
Implement your ISMS yourself for a fraction of what a consulting project costs.
Pick a plan and start today.
- Expert Pre-Audit Review included in Pro
- Pay by credit card or SEPA - instant access
- Unlimited support by email and chat