Custody of the data, on the record.

Data handling overview.

Residency

European Union. Storage and backup are EU-resident; no customer data leaves the EU as part of normal operations.

Encryption at rest

AES-256 with platform-managed keys. Database, file storage, and backups are encrypted.

Encryption in transit

TLS 1.2 or higher, modern cipher suites, HSTS preload. No plain-HTTP path is permitted.

Tenancy isolation

Role-scoped database connection pools at the data layer. A tenant query cannot read another tenant's rows by design.

Backups

Daily encrypted snapshots. Retention is set per tenant in the master agreement; restores are tested on a regular cadence.

Retention

Per the tenant's contracted policy. Audit data is preserved for the period required by EU ELV and UK ATF rules.

GDPR posture.

Data Protection Officer

privacy@dismanto.com — direct line to the DPO for data subject requests and supervisory authority contact.

Data subject rights

Access, rectification, erasure, restriction, portability, and objection — handled within the GDPR-mandated window.

Processing register

Documented record of processing activities (Article 30) shared with enterprise customers under NDA.

Sub-processors

Current sub-processor list is published to customers; changes are notified before adoption.

The plain-language GDPR statement and current sub-processor list live at /legal/gdpr.

Questions about security.

Related reading

• Privacy notice
• GDPR statement and data subject rights
• Compliance summary (ELV, ATF, VAT, GDPR)
• API and webhook security