Get in touch

Security & Compliance

How we protect data and respect regulations.

Data protection

Data security is not optional — it's the foundation we build on.

Where data lives

Data is stored exclusively on servers within the European Union. We choose providers with ISO 27001 and SOC 2 certifications. On request, we offer on-premise deployments within your own infrastructure.

Data retention

We keep data only as long as necessary for its stated purpose. At the end of a collaboration, client data is deleted or returned per the contract, with written confirmation.

Access control

We apply the principle of least privilege. Access to data is role-based, logged, and periodically reviewed. We use multi-factor authentication for all internal systems.

GDPR

We comply with the General Data Protection Regulation, both as a controller and as a processor.

Roles

Data controller — for data collected directly through the site (contact form, newsletter). Data processor — for client data processed as part of projects, governed by a Data Processing Agreement (DPA).

Your rights

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. You may withdraw consent at any time, without affecting the lawfulness of prior processing.

Exercising your rights

Send an email to privacy@igodemy.ai with the subject "GDPR Request". We will respond within 30 calendar days.

AI Act

We follow the requirements of the EU AI Regulation (AI Act), in effect since August 1, 2024, with phased implementation through 2027. For our clients' projects, we assess risks according to the AI Act classification and document design decisions accordingly.

Vulnerability disclosure

We appreciate security researchers who help us stay safe.

If you've found a vulnerability, please write to us at security@igodemy.ai.

Responsible disclosure process

  1. Report the vulnerability via email with as much technical detail as possible.
  2. We acknowledge receipt within 48 business hours.
  3. We investigate and communicate an estimated fix timeline.
  4. After remediation, we credit you publicly (if desired) and coordinate disclosure.

Please do not publicly disclose the vulnerability before we've agreed on a disclosure timeline together.

Cookies & analytics

We use Plausible Analytics — a cookieless analytics service hosted in the EU that does not collect personally identifiable data. No consent banner is needed for analytics.

For full details, see our Cookie Policy.