GDPR & Security
Last updated: March 2026
ACTly is built with GDPR compliance at its core. As a platform that helps organisations comply with the EU AI Act, we hold ourselves to the highest data protection standards.
1. Data Residency
All client data is stored and processed within the European Union. Our primary infrastructure runs in Ireland and Germany. We do not transfer personal data outside the EU except where Standard Contractual Clauses (SCCs) are in place with specific providers.
| Infrastructure | Location | What It Hosts |
|---|---|---|
| Supabase | Ireland (EU) | Database, authentication, file storage |
| Vercel | EU-routed edge | Web application and API |
| Railway | Frankfurt (EU) | Background job workers, agent processing |
2. Security
Encryption
- All data encrypted in transit using TLS 1.3.
- All data encrypted at rest using AES-256.
- Sensitive fields use field-level encryption in addition to database-level encryption.
Access Controls
- Role-based access control — members can only access data belonging to their organisation.
- Row-level security enforced at the database layer on all tables.
- Admin access to the platform requires superadmin privileges set directly in the auth provider.
- No ACTly employee can access your compliance documents or analysis outputs without explicit written consent.
Audit Logging
- Complete audit trail of all data access, analysis runs, and processing activities.
- Logs retained for 12 months on a rolling basis.
- Logs are immutable and cannot be modified by platform users.
3. Compliance Analysis
ACTly processes your uploaded documents and registered AI systems to generate compliance outputs using advanced analysis techniques.
Your data is never used for model training. All processing is governed by data processing agreements with Standard Contractual Clauses. A full list of service providers is available to enterprise clients on request. Contact privacy@actly.eu.
Processing happens within our controlled infrastructure pipeline. Documents are securely processed and stored in your organisation's private document library. No document content crosses between organisations.
4. Sub-processors
We use third-party service providers to operate ACTly. All providers are bound by data processing agreements.
| Provider | Location | Transfer Basis | Purpose |
|---|---|---|---|
| Supabase | EU — Ireland | EU-based | Database and authentication |
| Vercel | Edge, EU-routed | EU-based | Web hosting |
| Railway | EU — Frankfurt | EU-based | Worker infrastructure |
| Resend | EU | EU-based | Email delivery |
| Stripe | US | SCCs in place | Payment processing |
| Analysis service providers | US | SCCs in place | Compliance analysis |
Sub-processor list last reviewed: March 2026. Enterprise clients may request the full list including specific provider names at privacy@actly.eu.
5. Your GDPR Rights
As a data subject you have the right to access, correct, delete, or port your personal data at any time. To exercise these rights contact privacy@actly.eu. We will respond within 30 days.
You have the right to lodge a complaint with the Irish Data Protection Commission at dataprotection.ie.
6. Data Processing Agreement
Enterprise clients receive a Data Processing Agreement (DPA) as part of their subscription. The DPA covers: roles and responsibilities as controller/processor, processing purposes and instructions, security measures, sub-processor obligations, and data subject rights support.
To request a DPA template or discuss custom data processing arrangements, contact privacy@actly.eu.
7. Contact
For GDPR-related enquiries, data subject access requests, sub-processor list requests, or to report a data protection concern:
- Email: privacy@actly.eu
- Website: actly.eu
- Company: ACTly Limited, Ireland
We aim to respond to all data protection enquiries within 2 business days.
ACTly Limited · actly.eu · privacy@actly.eu