Security and Compliance: GDPR and EU Data Residency
Data Alchemy processes your business documents — invoices, delivery notes, orders, contracts — with a security-first approach: GDPR conformity, data residency within the European Union, encryption in transit and at rest, access control and full transparency on sub-processors. On this page you will find the security and compliance guarantees your IT and legal teams can assess before the demo, without signing an NDA just to read how we protect your data.
The pillars of security and compliance
Data protection is not an optional feature: it is how Data Alchemy is designed. Here are the four pillars our security and compliance posture is built on.
GDPR conformity
We process the personal data in your documents as a data processor on your behalf, under a dedicated Data Processing Agreement (DPA), with purposes limited to the processing you entrust to us.
EU data residency
Documents and extracted data are hosted and processed on cloud infrastructure within the European Union, with no transfers to third countries lacking adequate safeguards.
End-to-end encryption
Every document is encrypted in transit (TLS 1.2+) and at rest (AES-256). ERP integration credentials are kept in an encrypted vault and never exposed in plain text.
Minimization and retention
We process only the data needed for extraction and validation. Retention and deletion policies are agreed in the contract and documents can be deleted on request.
GDPR conformity and EU data residency
Data Alchemy is an Italian company and processes data in full compliance with Regulation (EU) 2016/679 (GDPR). When we process your documents we act as a data processor on behalf of your company, which remains the data controller: we process personal data only for the purposes you entrust to us — extraction, validation and writing into the ERP — and according to your documented instructions. Data residency is within the European Union: uploaded documents, extracted data and application logs reside on cloud infrastructure located in the EU, so your IT team and DPO can assess the risk even before the demo.
Clear roles and responsibilities
You are the data controller, Data Alchemy the processor. The DPA defines purposes, data categories, duration and security measures under Article 28 GDPR.
Data residency in the European Union
Storage, processing and backups take place in EU-based data centers. No transfers to third countries without adequate safeguards (standard contractual clauses or adequacy decisions).
Data subject rights
We support the exercise of GDPR rights (access, rectification, erasure, portability): at the controller's request we extract or delete the personal data contained in the processed documents.
Records and transparency
We keep a record of processing activities and an up-to-date list of sub-processors, available to customers for their own compliance assessments.
Technical and organizational security measures
Data security means encryption, access control and reliable infrastructure. Here are the technical and organizational measures that protect the documents you entrust to us.
Data encryption
- Encryption in transit with TLS 1.2 or higher
- Encryption at rest of documents with AES-256
- ERP credentials kept in an encrypted vault
- Logical data segregation between customers (multi-tenant)
Access control
- Access based on the principle of least privilege
- Integration authentication via API keys and tokens
- Tracking of access and operations (audit log)
- Immediate credential revocation at end of contract
Infrastructure and continuity
- Hosting on certified EU cloud providers
- Periodic backups and disaster recovery
- Continuous system monitoring and patching
- Separation of development and production environments
Organizational practices
- Confidentiality agreements with staff and suppliers
- Team training on security and data protection
- Structured incident management and controller notification
- Security assessment of new sub-processors
How we process documents with multi-engine AI
Data Alchemy assigns the most suitable LLM to each document model — today Claude AI, which outperformed GPT, Gemma and DeepSeek in our tests. We know that sending business documents to an AI engine is the most sensitive question for anyone evaluating the platform, so we are transparent about how it works. Documents are processed through the AI providers solely to extract and structure the data you ask for, under data processing agreements (DPAs) and without your content being used to train third-party models.
No training on your data
Documents sent to the AI engines are not used to train or improve the providers' models: they only serve to produce the extraction we return to you.
Sub-processors under contract
AI providers are treated as sub-processors, bound by DPAs and adequate security measures. The list is available for compliance assessments.
Limited and tracked processing
AI processing is limited to the single extraction operation; we do not build profiles on the content of your documents beyond what the service requires.
Validation that reduces exposure
Validation against ERP master data happens within our EU perimeter, reducing the data that passes through the AI engines to the minimum necessary.
Compliance standards and reference frameworks
Our security measures are designed following recognized industry standards. Here are the frameworks that guide our compliance posture.
GDPR — Regulation (EU) 2016/679
Personal data processing compliant with the GDPR, with a DPA under Article 28, a record of processing activities and support for data subject rights.
ISO/IEC 27001 principles
Our technical and organizational measures are aligned with the information security management principles of the ISO/IEC 27001 standard.
Certified cloud providers
The infrastructure relies on EU cloud providers that maintain recognized certifications (e.g. ISO 27001, SOC 2) on their data centers.
FatturaPA and Italian regulatory context
We support the formats and flows of Italian electronic invoicing (FatturaPA), in line with the technical rules of the Italian Revenue Agency.
Resources related to security and integrations
The multi-engine AI technology
How Data Alchemy picks the most suitable LLM for each document and validates data against ERP master data.
Learn more →IntegrationERP integration
Native connectors, REST APIs, webhooks and SQL to write data securely into SAP, Zucchetti and TeamSystem.
Learn more →ControlsAnomaly and fraud detection
Detection of duplicates, suspicious IBANs and off-contract prices before posting into accounting.
Learn more →Frequently asked questions about security and compliance
Is Data Alchemy GDPR compliant?
Yes. Data Alchemy is an Italian company and processes the personal data contained in your documents in compliance with Regulation (EU) 2016/679 (GDPR). We act as a data processor on behalf of your company, which remains the controller, based on a Data Processing Agreement (DPA) under Article 28 GDPR that defines purposes, data categories, duration and security measures.
Where are my data hosted and processed?
Data residency is within the European Union: uploaded documents, extracted data, backups and application logs reside on cloud infrastructure located in the EU. We do not transfer data to third countries lacking adequate safeguards under the GDPR.
How are the documents I send protected?
Documents are encrypted in transit with TLS 1.2 or higher and at rest with AES-256. Access follows the principle of least privilege, operations are recorded in audit logs, and ERP integration credentials are kept in an encrypted vault, never exposed in plain text.
Are my documents used to train AI models?
No. Documents sent to the AI engines are used solely to extract and structure the data you ask for and are not used to train or improve the providers' models. AI providers are treated as sub-processors, bound by data processing agreements (DPAs) and adequate security measures.
Can I get a DPA and the list of sub-processors?
Yes. We provide a Data Processing Agreement (DPA) and an up-to-date list of sub-processors (including AI providers and EU cloud providers), so your legal team and DPO can complete the compliance assessment before the service is activated.
Do you have security certifications such as ISO 27001 or SOC 2?
Our technical and organizational measures are designed following the principles of the ISO/IEC 27001 standard for information security management, and we rely on EU cloud providers that maintain recognized certifications (ISO 27001, SOC 2) on their data centers. For the current status of our certifications and for security documentation, contact us and we will provide the details applicable to your project.
Assess Data Alchemy's security with your team
Book a free 30-minute demo: bring in IT and legal, we answer questions on GDPR, data residency, encryption and sub-processors, and we provide the security documentation useful for your assessment — no commitment.
Book a free demo