Skip to content
SECURITY/COMPLIANCE·DATA, ACCESS, INCIDENTPROCUREMENT-READY ↓

Built on infrastructure procurement can approve.

★ WHAT WE CAN COMMIT TO

AAL is a small studio. No ISO 27001 yet — but GDPR-compliant practices, EU-region hosting, DPA-ready paperwork, and an honest roadmap. This page is what we commit to today.

01

Data handling.

GDPR-compliant by default. Lawful basis documented per engagement, processing records maintained.

DPA ready. Standard template within 24h of request, custom DPA negotiable for enterprise.

Subprocessor list published. Vercel (hosting), Anthropic (AI), Airtable (operational). Updated on change.

Data minimization. Only what's needed to deliver. No behavioral tracking in audits or the journal.

02

Infrastructure.

EU-region hosting. Vercel edge in Frankfurt (FRA1) / Dublin (DUB1). Data never leaves EU unless scoped otherwise.

Encryption in transit and at rest. TLS 1.3 everywhere, AES-256 at rest.

Backups. Daily CMS and operational snapshots, 30-day retention, point-in-time restore.

Monitoring. Error, uptime, and performance via Sentry + Vercel Speed Insights. On-call for production incidents.

03

Access.

SSO-ready. Every client surface supports SSO via Okta, Auth0, or custom SAML on request.

RBAC in every CMS and internal tool we ship. Least privilege by default.

Audit logs. All content and config changes logged. 90-day retention standard, longer on request.

Offboarding. Credentials rotated, access revoked, data handed over within 5 business days.

04 · HONEST

Certifications roadmap.

ISO 27001, not certified today. Target: begin formal process Q1 2027.

SOC 2 Type II, not certified today. Target: 2027 after ISO 27001.

Annual penetration test by an independent third party on client-facing surfaces. Next: Q3 2026.

GDPR compliance active. DPIA performed per engagement as needed.

05

Incident response.

P0 (production down): initial acknowledgment within 1 hour. Active investigation within 4 hours.

P1 (data incident): client notified within 24 hours of detection. GDPR 72-hour reporting honored.

Post-mortems: written, shared with affected clients, and incorporated into runbooks.

06 · DOWNLOADS

Send these to procurement.

UPDATED: 2026-04
PDF · 3 PAGES

Standard DPA

GDPR-compliant data processing template. Customisable on request.

Request ↗
PDF · 4 PAGES

Subprocessor list

Vendors, data scope per vendor, hosting region. Updated on change.

Request ↗
PDF · 8 PAGES

Security whitepaper

This page as a procurement-ready PDF.

Request ↗
07 · TALK TO PROCUREMENT

Talk to procurement, not sales.

If procurement has requirements we haven’t surfaced here, tell us. We respond within 48 hours with what we can honestly commit to.

RESPONSE SLA48 hours
EU HOSTINGFRA1/DUB1