Launch offer: βˆ’20% off the Starter plan on top of your first free audit with code NEW20

πŸ›‘ Security & privacy

We don't want
your data.

We already have enough legal documents to deal with thanks to the AI Act β€” honestly, adding your audit answers to our list of liabilities sounds like a terrible idea.

What you typeWhat we store
company
Acme SAS
ai_system
HR CV screening
contact
jane@acme.eu
audit_score
38 / 100
Encrypting at rest β€” AES-256-GCM

The principle: we can't access it.

Your questionnaire answers and generated documents are encrypted before being stored. The decryption key is derived from your user identifier β€” something our database alone cannot use.

Concretely: if someone accesses our database directly β€” leak, breach, or an admin having a curious moment β€” all they see is unreadable noise.

// What the database sees
questionnaire_data:
aBuDeFgHiJkL.X9k2n4pQr87LEvWxYzE1234567890ACDEF3H.yZ01234abcde

// What it can do with it
Β―\_(ツ)_/Β―

One key per user

Your data is encrypted with a key derived from your unique identifier (AES-256-GCM). Even we can't read a user's data without their active session. That's mathematically impossible, not just a pinky promise.

Hosted in Switzerland, database on-premises

The VPS is at Infomaniak in Switzerland. The Supabase database runs locally on that same server β€” no third-party service involved. Infomaniak hosts the bits, but can't read anything: everything is encrypted before it gets there.

No resale, no ad tracking

We're paid through subscriptions and document generation, not by selling your data. Our business model has zero interest in monetising what you share with us. Incentive alignment, as they say.

RLS + per-account isolation

Every database query verifies you can only access your own data (Supabase Row-Level Security). It's technically impossible for one user to read another's audits, even by tinkering with API requests.

πŸ™‚

The honest caveat: Mistral AI sees some of your data.

To analyse your audit and generate your regulatory documents, we use Mistral AI β€” our generative AI model provider (GPAI). They produce the summaries, recommendations, and narrative content of your documents.

Before sending anything to Mistral, we apply automatic pseudonymisation: emails, phone numbers, SIRETs, and IP addresses are replaced with neutral tokens (EMAIL_1, PHONE_2…). Mistral never sees your direct identifiers.

The business content of your questionnaire (sector, AI system uses, organisational context) is necessary for generation β€” Mistral does access this. That's the inherent trade-off of using an external LLM. We'd rather tell you clearly than bury it in the terms of service.

Who sees what

DataDILAIGDatabaseMistral AI
Questionnaire answers (storage)
Encrypted
Encrypted
None
Questionnaire answers (AI analysis)
Yes
None
Pseudonymised
Generated documents (storage)
Encrypted
Encrypted
None
Contact / newsletter emails
Yes
In clear
None
Direct identifiers (email, SIRET…)
Yes
None
No (masked)
Compliance score
Yes
In clear
None

Questions about our practices? Our full privacy policy is available below.

Start the free auditPrivacy policy
Security β€” DILAIG