Trust Center
Last reviewed: April 2026
Policyflow helps organisations distribute policies and collect employee attestations. Because that data ends up in audit reports and compliance evidence, customers ask us — rightly — where it lives, who can touch it, how long we keep it, and how it can be retrieved or removed. This page is the short answer. For anything not covered here, email hello@applikeable.com.
Compliance posture
EU data residency, DPA available, signed SCCs for non-EU subprocessors, documented retention and deletion procedures.
Information security controls mapped to ISO 27001 Annex A. Formal certification is on the roadmap.
Operating in line with SOC 2 Trust Services Criteria. Formal Type II report is on the roadmap.
“Aligned” means we operate the framework’s controls. Formal third-party certifications are noted explicitly and audit reports are available under NDA.
Where your data is hosted
- Primary data region
- European Union (Frankfurt)
- Application hosting
- Vercel — EU edge with global CDN for static assets
- Database
- Supabase managed Postgres with row-level security
- Backup region
- EU only — backups never leave the EU
- Data residency commitment
- Customer policy and attestation data is stored in the EU
How your data is protected
Encryption in transit
All traffic is served over TLS 1.2+ with HSTS. Internal service-to-service calls are encrypted.
Encryption at rest
Database storage and file uploads are encrypted at rest using AES-256.
Row-level isolation
Every tenant table enforces Postgres row-level security so organizations can never read each other's data.
Authentication
Email + password with magic-link fallback. Sessions are managed via secure HTTP-only cookies; passwords are hashed by Supabase Auth.
Access control
Role-based permissions (admin, editor, viewer) gate every mutation. Server actions re-check authorization on each request.
Audit trail
Policy edits, approvals, attestations, deliveries, exports, and admin actions are recorded in an immutable audit log with actor, resource, timestamp, and metadata.
Attestation evidence
Attestation tokens are cryptographically signed. Each completed attestation captures the policy version, recipient identity, timestamp, and IP for tamper-evident evidence.
Secret handling
Directory credentials, SMTP secrets, and API keys are stored encrypted and redacted from all exports and logs.
Backups
Automated daily backups with point-in-time recovery retained for 7 days. Backups are encrypted and stored within the EU region.
Vendor review
All subprocessors are reviewed for GDPR compliance, security posture, and data residency before onboarding.
Subprocessors
We share data only with the third parties needed to deliver the service. All subprocessors are bound by GDPR-compliant processing agreements, including Standard Contractual Clauses where data leaves the EEA.
| Vendor | Purpose | Region | Privacy |
|---|---|---|---|
Supabase Account data, policies, attestations, audit logs | Database & authentication hosting | EU (Frankfurt) | Link |
Vercel Request metadata, application logs | Application hosting & edge delivery | EU edge with global CDN | Link |
Scaleway Recipient email, message contents | Transactional email delivery | EU (France) | Link |
Paddle Billing contact, payment metadata (no card data stored by us) | Payment processing & Merchant of Record | EU / UK / US | Link |
OpenAI Policy text submitted to the editor (no attestation or directory data) | AI-assisted policy editing (opt-in feature) | US (zero data retention via API) | Link |
We notify customers of material subprocessor changes at least 30 days in advance. To subscribe to notifications, email hello@applikeable.com.
What we retain
- Account data
- Retained for the life of the subscription, plus 30 days after cancellation for reinstatement.
- Policy content & versions
- Retained for the life of the subscription. Each published version is preserved so historical attestations remain verifiable.
- Attestation records
- Retained for the life of the subscription as compliance evidence. Customers can export at any time.
- Audit logs
- Retained for the life of the subscription with no rolling deletion.
- Email delivery logs
- Metadata retained 12 months; message bodies are not persisted after delivery.
- Server & access logs
- Retained 30 days for security and reliability investigations.
- After account closure
- All customer data is deleted within 60 days of confirmed termination unless an export is requested first.
Exporting & deleting your data
Customers can export the full contents of their organisation (policies, attestations, audit log, files) from Settings → Data Export inside the application. The result is a dated TAR archive containing JSON records plus referenced files; directory credentials and access tokens are redacted.
To request deletion of an organisation or of individual personal data records, email hello@applikeable.com. We respond within 30 days as required by GDPR Art. 17. After confirmed account closure all data is deleted within 60 days unless an export is requested first.
Every action taken inside Policyflow — policy edits, approvals, attestations, deliveries, exports, admin actions — is recorded in a tamper-evident audit log that admins can filter and export to CSV at any time.
Legal documents
- Open
Privacy Policy
How we collect, use, and protect personal data.
- Open
Terms of Service
The agreement governing your use of Policyflow.
- Open
Data Processing Agreement (DPA)
GDPR Art. 28 processor terms, including Standard Contractual Clauses for any non-EU transfers. Available on request and pre-signed for paid plans.
- Open
Refund Policy
How refunds are handled for subscription billing.
Talk to us
Security review, DPA request, vendor questionnaire, or anything else — write to hello@applikeable.com.