Security & Compliance

Your data, your jurisdiction.

Alagna SAS is your direct contractual counterparty. Your data stays in your jurisdiction — EU firms run on European infrastructure, US firms run on US infrastructure. No deal data is retained by our infrastructure partners beyond the in-memory processing window.

Contractual architecture

Your firm signs with Alagna SAS, a French-registered company. Alagna is your data processor. Our inference providers are sub-processors — their compliance obligations flow down from our contracts with them, not from yours.

For EU firms, this means your Chapter V transfer exposure compresses to a sub-processor question managed entirely by Alagna — your firm's relationship is intra-EU from end to end. For US firms, all data processing stays on US infrastructure — no transatlantic data movement.

Zero Data Retention

Anthropic (inference) and Voyage AI (embeddings + reranking) both operate under zero-retention policies. Inputs and outputs are not stored after processing. No customer data is used for model training. Resend (transactional email) delivers account invitations and password resets — emails are not stored beyond delivery.

Transfer mechanisms

For EU firms, EU-to-US data transfers to inference providers are governed by Standard Contractual Clauses (Module 3), the EU-US Data Privacy Framework where applicable, and UK and Swiss addenda. We maintain a Transfer Impact Assessment documenting supplementary measures under Schrems II. For US firms, all processing stays within US infrastructure — no cross-border transfer applies.

Data minimisation

Only extracted text reaches inference providers — never original uploaded files. Document processing happens on regional infrastructure before any data is sent to inference providers.

Infrastructure

Alagna operates dedicated infrastructure in each region. Your firm's data never leaves its jurisdiction.

European firms:

  • Application: Vercel (EU)
  • Processing engine: Railway (EU West, Amsterdam)
  • Database and file storage: Supabase PostgreSQL (EU West, Ireland)

US firms:

  • Application: Vercel (US East)
  • Processing engine: Railway (US East, Virginia)
  • Database and file storage: Supabase PostgreSQL (US East, North Virginia)

Every data record — deals, documents, conversations, files, embeddings — is scoped to a specific firm. Users at one firm cannot access, search, or retrieve data belonging to another firm. Within a firm, access is role-based with deal-level team controls.

Security controls

  • All data transmitted over TLS (HTTPS)
  • Integration credentials and MFA secrets encrypted with AES-256-GCM (per-encryption random IVs)
  • Infrastructure-level disk encryption on all storage
  • Mandatory multi-factor authentication (TOTP, RFC 6238) for all users, with recovery codes at enrolment
  • Passwords hashed with bcrypt; failed login attempts rate-limited (5 attempts, then 15-minute lockout)
  • Sessions use signed JWT tokens with firm and role claims
  • Full audit trail on all deal and file operations

Regulatory readiness

GDPR (EU firms)

Alagna SAS is the data processor. Sub-processor list maintained and publicly available. 15-day contractual notice for new sub-processors. Breach notification chain documented in writing. DPIA support available on request.

DORA (EU regulated entities)

For regulated financial entities, Alagna is the ICT third-party service provider. Our inference partners are fourth parties. We provide the contractual framework and documentation your compliance team needs for ICT third-party risk management under DORA.

US firms

All data processed and stored on US infrastructure. SOC 2 Type II reports available from all infrastructure providers. We provide the documentation your compliance and legal teams need for vendor due diligence, including data handling policies, sub-processor disclosures, and security controls.

Certifications

Alagna is pursuing SOC 2 Type II and ISO 27001 certifications. Our real-time compliance posture, policies, and certification status are available on our Trust Center.

Alagna's production environment undergoes independent penetration testing. Our most recent third-party assessment — Oneleet, Q2 2026, conducted against OWASP methodology — returned no critical findings and a score of 10/10. The full report is available under NDA through our Trust Center.

SOC 2 Type II — In Progress ISO 27001 — In Progress

Compliance pack

We provide a complete compliance pack on request — designed to collapse weeks of procurement back-and-forth into a single document set:

  • Alagna Data Security Fact Sheet
  • Data Processing Agreement (Alagna SAS ↔ Customer)
  • Sub-processor DPA with Standard Contractual Clauses
  • Zero Data Retention confirmation
  • Transfer Impact Assessment
  • Sub-processor list
  • SOC 2 Type II reports
  • Penetration test report (Oneleet, Q2 2026) — under NDA
  • DORA addendum (for regulated entities)

To request the compliance pack or ask a question about data handling, contact privacy@alagna.ai