Trust

Security & Data Protection

How Sorvyn keeps your data, and your clients' data, safe and compliant. Written plainly for the people who have to answer for it.

📅 Last updated: June 14, 2026 🇪🇺 EU data residency 🇱🇺 GDPR, Luxembourg

🇪🇺

Hosted in the EU

Your database lives in the European Union (Ireland), not offshore.

🔒

Encrypted end to end

AES-256 at rest, TLS 1.2+ in transit. Standard bank-grade encryption.

🧠

AI never trains on your data

The AI reads your documents to do the work, and nothing more.

✍️

You approve everything

Sorvyn proposes. A human reviews and approves before anything is acted on.

📄

DPA available

A signed Data Processing Agreement for every business customer.

🔁

Full transparency

Every sub-processor listed publicly, with advance notice of changes.

01Where your data lives

Your database is hosted in the European Union (Ireland). The workflow engine that runs your automations is self-hosted by Sorvyn on our own EU infrastructure, not on a third-party cloud. Where data must reach a provider established outside the EU, that transfer is covered by the European Commission's Standard Contractual Clauses (see the Transfers section).

02Encryption

All data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Nobody reads your data off the wire or off the disk.

03Access control

Row-level security in the database: each account can only ever reach its own data.
Multi-factor authentication on the systems that hold customer data.
Least-privilege access: the automation engine uses scoped service credentials, not broad admin keys.
Your Google connection is limited to the exact scopes the automations you activate need, and nothing else.

04AI and your data

This is the question we get asked most, so here is the plain answer. Sorvyn uses Anthropic's Claude to read your documents, and OpenAI's Whisper to transcribe audio for two specific workflows. In both cases, under their commercial data processing terms:

Your data is never used to train AI models.
It is processed to do the task and then not retained long-term (Anthropic deletes within 30 days of termination).
The transfer to these providers is covered by Standard Contractual Clauses.

The AI extracts and proposes. It does not decide and it does not act on its own.

05You stay in control (human in the loop)

Sorvyn proposes, you approve. Nothing is posted to your books, sent to a client, or treated as final until a person reviews and approves it. This is deliberate: it keeps you in control of every entry and it means the responsibility for what gets booked stays where it belongs, with the professional.

06Sub-processors

We publish the full, current list of every third party that touches data, what each does, where it sits, and the transfer safeguard, on our sub-processors page. We notify active customers before adding a new one. For accounting customers, only a short list ever touches your clients' data, and it is clearly marked.

07International transfers

Data stays in the EU wherever the provider allows it. Where a provider is established in the United States (such as Anthropic, Stripe, or Vercel), the transfer is governed by the Standard Contractual Clauses approved by the European Commission, which are part of each provider's data processing agreement that we have in place.

08Your rights and our agreement

Under GDPR you can ask us to access, correct, export, or delete your personal data, and you can lodge a complaint with the Luxembourg supervisory authority (CNPD). For business customers whose use involves processing their own clients' data, Sorvyn signs a Data Processing Agreement that sets out exactly how we handle that data, the security measures above, breach notification, and deletion on exit. Request it any time.

09Talk to a person

Data protection questions go straight to the founder: patrick@sorvyn.ai. No ticket queue, no bot.