Data Protection Agreement

Our commitment to data protection

Alteyr is built for regulated industries. Data protection is not a compliance checkbox for us, it is the foundation of our architecture. Our platform is designed from the ground up to give you complete control over your data, with no dependency on third party public cloud AI services.

We comply with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This Data Protection Agreement describes our data processing practices, security measures, and your rights as a data controller.

Data controller and processor

When you use the Alteyr platform, you are the data controller. You decide what data to process, for what purpose, and under what policies. Alteyr acts as a data processor, operating solely on your documented instructions.

Because Alteyr runs on your infrastructure, data processing occurs within your environment, not on our servers. This architectural choice means that in practice, we never access, store, or transmit your data. Our role as processor is limited to providing the software that enables your processing activities.

Data processing scope

The platform processes data solely to execute the tasks you assign to the agent. This includes reading documents from your connected tools, planning workflows, generating outputs, and logging actions for audit purposes. All processing is performed within your infrastructure perimeter.

We do not process special categories of data unless you explicitly configure the platform to do so. You are responsible for ensuring that your use of the platform complies with your own data protection obligations, including conducting any required Data Protection Impact Assessments.

Security measures

Alteyr implements security measures designed to protect your data throughout its lifecycle. These include encryption at rest and in transit, role based access control, real time ACL enforcement from your connected tools, and comprehensive audit logging with tamper evidence.

Our platform supports deployment in air gapped environments, behind your firewall, and on premises. We provide Docker Compose and Helm charts for deployment in your private cloud. Network isolation, access controls, and backup policies for your deployment are your responsibility.

Data retention and deletion

Because the platform runs on your infrastructure, data retention and deletion are under your control. You can delete any data processed by the platform at any time. The audit log, which is tamper evident, is retained according to your policy and can be exported to your SIEM or deleted as needed.

Sub processors

Alteyr does not engage sub processors for the processing of your data through the platform, as the software runs on your infrastructure. For our website operations, we use PostHog for analytics (with EU data residency and memory only persistence) and Resend for transactional email. Both are GDPR compliant data processors.

International data transfers

When you deploy Alteyr on your infrastructure, your data remains in the location you choose. We do not transfer your data across borders. Our website analytics data is processed within the European Union. We rely on the adequacy decisions and Standard Contractual Clauses where applicable for any limited transfers necessary to operate our business.

Your rights

As a data subject, you have the right to access, rectify, erase, and port your personal data. You also have the right to restrict or object to processing. To exercise these rights, contact our Data Protection team at hello@alteyr.com. We will respond within the timelines required by applicable law.

Contact

For data protection inquiries, please contact hello@alteyr.com. You also have the right to lodge a complaint with your supervisory authority, particularly in the EU member state of your residence, place of work, or the place of the alleged infringement.