Trust center

Security and GDPR readiness

ULTIMATE KLOUD UNIPESSOAL LDA is operated with GDPR-ready controls for transparency, processor terms, EU hosting posture, access control, encryption, auditability, data subject requests, and incident response.

Production posture

Last updated 20 February 2026

A Data Processing Agreement is available for business customers and prospects before customer personal data is uploaded or production access is enabled.

If a personal data breach requires notification, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of it. When we act as processor, we notify the affected customer without undue delay.

EU hosting posture

Vercel Functions: Frankfurt, Germany (fra1)

Primary data region

Supabase: Central EU / Frankfurt, Germany (eu-central-1)

Privacy requests

privacy@dotgrey.co

No sale of data

We do not sell personal data and we do not share personal data with data brokers.

Checklist

The items buyers and EU reviewers ask for

This page is public so customers, partners, and app-review teams can verify the basics without chasing a private document.

Data Processing Agreement Sub-processors

GDPR-ready statement

Data Processing Agreement available

A Data Processing Agreement is available for business customers and prospects before customer personal data is uploaded or production access is enabled.

Sub-processors list

Published at /subprocessors.

Hosting region

Vercel Functions: Frankfurt, Germany (fra1); Supabase: Central EU / Frankfurt, Germany (eu-central-1).

Encryption

TLS is required in transit. Supabase-managed database and storage encryption protect data at rest. Application secrets and integration credentials use dedicated encryption keys.

Access control

Supabase Auth, row-level security, role-based permissions, platform-admin scoping, optional two-factor authentication, and audit logs limit access to authorized users.

AI data handling policy

API prompts and outputs are not used by OpenAI to train models by default unless a separate explicit opt-in is configured with the provider. External AI calls should pass through the privacy gateway or feature-specific minimization controls before customer data is sent. Sensitive document images and customer values are blocked, redacted, processed locally, or manually reviewed in high-risk flows whenever the feature design supports it. AI outputs are assistive. Staff must review AI-generated replies, pricing, documents, summaries, classifications, and recommendations before using them in sensitive contexts. AI processing events record purpose, legal basis, vendor, model, hashes/metadata where appropriate, success/failure, and reviewer context where available.

Data deletion/export process

Authenticated users can request or download machine-readable exports in privacy settings and through the GDPR export endpoints. Authenticated users can submit erasure requests. Operational deletion, anonymization, or retention exceptions are applied according to legal obligations and verified identity. When a request concerns data entered by a business customer, the response is coordinated with that customer because it is usually the primary controller. Privacy and data subject requests can be sent to privacy@dotgrey.co or dpo@dotgrey.co.

Contact email for privacy requests

privacy@dotgrey.co; DPO/data protection contact: dpo@dotgrey.co.

Breach notification commitment

We do not sell personal data

We do not sell personal data and we do not share personal data with data brokers.

Access

Supabase Auth, row-level security, role-based permissions, platform-admin scoping, optional two-factor authentication, and audit logs limit access to authorized users.

Encryption

TLS is required in transit. Supabase-managed database and storage encryption protect data at rest. Application secrets and integration credentials use dedicated encryption keys.

AI governance

AI and automation flows are designed to send only the operational context needed for the requested task, with redaction, tokenization, or local/manual processing for sensitive document flows where appropriate.

Audit trail

Privacy, consent, AI processing, GDPR request, security, and business action events are logged to support accountability and review.

AI data handling policy

API prompts and outputs are not used by OpenAI to train models by default unless a separate explicit opt-in is configured with the provider.
External AI calls should pass through the privacy gateway or feature-specific minimization controls before customer data is sent.
Sensitive document images and customer values are blocked, redacted, processed locally, or manually reviewed in high-risk flows whenever the feature design supports it.
AI outputs are assistive. Staff must review AI-generated replies, pricing, documents, summaries, classifications, and recommendations before using them in sensitive contexts.
AI processing events record purpose, legal basis, vendor, model, hashes/metadata where appropriate, success/failure, and reviewer context where available.

Deletion and export process

Export

Authenticated users can request or download machine-readable exports in privacy settings and through the GDPR export endpoints.

Deletion

Authenticated users can submit erasure requests. Operational deletion, anonymization, or retention exceptions are applied according to legal obligations and verified identity.

Third-party data

When a request concerns data entered by a business customer, the response is coordinated with that customer because it is usually the primary controller.

Contact route

Privacy and data subject requests can be sent to privacy@dotgrey.co or dpo@dotgrey.co.

Compliance note

No software page can honestly guarantee 100% GDPR compliance by itself. Final readiness still depends on signed customer/vendor agreements, actual production configuration, staff procedures, data entered by customers, and legal review for the exact market and use case.