Eyebrow

Data Security and GDPR Policy

Data Security

[Last updated 6 January 2026]

Affinitext prioritizes customer trust and data protection as a cornerstone of our business operations. We recognize that customer and user data is critical to our customers' operations, compliance obligations, and stakeholder confidence. That is why we keep it private, secure, and manage it in accordance with applicable global data protection laws.

Affinitext supports over 30,000 users in over 120 countries and territories. Our customers entrust us with sensitive information, stemming from a wide range of industries including healthcare, financial services, government, technology and legal services.

Affinitext helps customers and users maintain control of their privacy and data security through multiple mechanisms:

  • Data Security: We provide our customers and users with confidence in our compliance with enterprise-class security standards (ISO 27001:2022, UK Cyber Essentials, UK Cyber Essentials Plus and UK Ministry of Defence (Official Sensitive) accreditations) and maintain a support team on-call 24/7 to respond to security incidents.
  • Disclosure of Customer Service Data: Affinitext only discloses Service Data to third parties where disclosure is necessary to provide the services or as required by law.
  • Trust: Affinitext has developed security protections and control processes to help our customers ensure a highly secure environment for their information. Independent third-party experts regularly confirm Affinitext’s adherence to enterprise-class security standards.
  • Data Hosting Locality: Customer data is hosted across multiple jurisdictions on managed data centres operated by Rackspace (Sydney, Australia and London, United Kingdom), Oracle (Jeddah, Saudi Arabia and Abu Dhabi, United Arab Emirates), AWS (Canada and the USA) and Google Cloud (Qatar). The data centre closest to the customer's location is generally selected to provide Affinitext services, while customers may specify preferred data residency locations where applicable.
  • Access Management: Affinitext provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer content for any purpose other than providing, maintaining, supporting and improving the Affinitext services and as otherwise required by law.
What is Service Data?
Service Data is any information, including personal data, which is stored in or transmitted via the Affinitext services by, or on behalf of, our customers and their end-users.
Who owns and controls Service Data?
Affinitext customers retain ownership of and control over Service Data throughout their subscription period. Under applicable data protection legislation (including the General Data Protection Regulation (GDPR) in the European Union, the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 in the United Kingdom, the Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024) in Australia, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec’s Law 25 in Canada, the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) in the United Arab Emirates, the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) in the United States, Lei Geral de Proteção de Dados (LGPD) in Brazil, Personal Data Protection Act (PDPA) in Singapore, Personal Data Protection Law (PDPL) in Saudi Arabia, and other similar laws), the customer acts as the data controller, and Affinitext acts as the data processor. This means customers maintain full authority over how their data is processed and used.
Who are Affinitext’s sub-processors?
Affinitext maintains an up-to-date list of the names and locations of all sub-processors (including members of the Affinitext Group and third parties) used for hosting or other processing of Service Data. The list may be obtained by contacting data.protection@affinitext.com. Customers are notified of changes to sub-processors in accordance with applicable data protection legislation.
How does Affinitext use Service Data?
We use Service Data to:
• Operate, maintain, and improve our services
• Help customers and users access and use our services
• Respond to customer and user inquiries and support requests
• Send communications related to the services, account updates, and security matters
• Conduct security and compliance monitoring
• Generate anonymized analytics and insights
We do not use Service Data for marketing purposes, targeted advertising, or sale to third parties.
How does Affinitext process Service Data when customers use AffiniAI?
Where a customer enables AffiniAI, user prompts and relevant excerpts from Service Data may be transmitted to, and processed by, Affinitext’s contracted AI service provider(s) as sub-processors, solely to generate an answer for the user. Processing locations and any applicable retention terms depend on the customer’s contracted configuration. Affinitext’s arrangements require that Service Data is not used by these providers to train their models.
What steps does Affinitext take to secure Service Data?
Affinitext prioritizes data security and implements a comprehensive security program that includes:
• Infrastructure Security: Servers hosted at ISO 27001:2022, UK Ministry of Defence, UK Cyber Essentials, UK Cyber Essentials Plus, and PDPL-compliant facilities with multiple redundancy layers.
• Encryption: Data is encrypted in transit (TLS 1.2+) and at rest using industry-standard encryption protocols.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege restrict employee access to customer data.
• Penetration Testing: Third-party security experts perform detailed penetration tests on a periodic basis to identify and remediate vulnerabilities.
• Incident Response: A dedicated security team operates 24/7 to monitor, detect, respond to, and investigate security incidents and data breaches.
• Regular Audits: Comprehensive audits of applications, systems, and networks are conducted regularly to ensure continued compliance with security standards.
• Data Minimization: We collect and process only the minimum personal data necessary to provide our services.
Where will Service Data be stored?
Affinitext maintains data centres in multiple geographic locations:
• Rackspace: Sydney (Australia) and London (United Kingdom)
• Oracle: Jeddah (Saudi Arabia) and Abu Dhabi (United Arab Emirates)
• AWS: Canada and the United States
• Google Cloud: Qatar
Affinitext generally uses the data centre closest to the customer's location to provide Affinitext services, ensuring lower latency and compliance with local data residency requirements where applicable
Does Affinitext replicate the Service Data it stores?
Yes. Affinitext replicates Service Data to separate, geographically distributed servers within the same country to ensure business continuity, disaster recovery, and data availability. Replicated data receives the same level of security protection as primary data.
How does Affinitext Respond to Information Requests
Affinitext recognizes that privacy and data security issues are top priorities for customers and their users.

• Affinitext does not disclose Service Data except as necessary to provide its services to its customers and to comply with the law as detailed in our Privacy Policy found here: https://www.affinitext.com/privacy-policy/.
• Affinitext promptly acknowledges and responds to lawful information requests, data subject access requests, and other requests from customers and their users in accordance with applicable timelines (e.g., 30 days under GDPR, LGPD, and similar regulations).
• Customers, as data controllers, are responsible for responding to requests from their data subjects, and Affinitext will cooperate fully to support customers in fulfilling these obligations.
How does Affinitext respond to legal requests for Service Data?
In certain situations, we may be required to disclose personal data as required by law or in response to subpoenas, court orders, legal process or to establish or exercise our legal rights or defend against legal claims.
• We will inform customers of legal requests for their data, except where legally prohibited.
• We will challenge overly broad requests where appropriate.
• We maintain detailed records of all legal requests and our responses.
 
Data Breach Response and Notification
Affinitext is committed to rapid identification, investigation, and reporting of data breaches:
Upon discovery of a data breach, Affinitext will investigate the incident and notify affected customers without undue delay, and in accordance with applicable legal requirements.
• Notification Timeline: Breaches are reported within 48 hours to customers for their own regulatory notifications (shortened from the previous 72-hour standard).
• Required Information: Breach notifications include details of the breach, affected data categories, likely consequences, and recommended mitigation measures.
• Regulatory Reporting: Affinitext will cooperate with customers and relevant supervisory authorities to meet regulatory reporting obligations.

Global Data Protection Legislation Compliance

European Union: General Data Protection Regulation (GDPR)
The GDPR is a European privacy regulation that applies to all organizations processing personal data of EU residents, regardless of where the organization is located. Affinitext has been committed to GDPR compliance since the regulation became enforceable on 25 May 2018.

Key GDPR Requirements Affinitext Supports:

Lawful Basis: We process data only where we have a lawful basis under GDPR Article 6.
Consent: Where consent is required, we ensure it is explicit, specific, and freely given, with documented proof of consent.
Data Subject Rights: We support customer requests for:
- Access (30 days)
- Rectification/Correction (30 days)
- Erasure/Right to be Forgotten (variable timelines)
- Data Portability in machine-readable format (30 days)
- Restriction of processing (30 days)
- Object to processing
- Rights related to automated decision-making and profiling
Privacy by Design: We implement privacy and security measures by design and default in our service architecture.
Data Protection Impact Assessments (DPIA): We conduct DPIAs for high-risk processing activities and share results with customers upon request.
Data Processing Agreements (DPA): Our Standard Contractual Clauses (SCCs) and Data Processing Agreements comply with GDPR Article 28 requirements.
AI and Machine Learning: Our AI systems are designed to be transparent, fair, and subject to appropriate human oversight.

2025-2026 GDPR Updates:

Enhanced consent requirements: explicit, specific, easy withdrawal
Stricter cross-border data transfer rules
Expanded definition of personal data to cover additional identifiers
Enhanced enforcement mechanisms and increased penalties
Specific provisions for AI systems regarding explainability, fairness, and human oversight
United Kingdom: UK Data Protection Act 2018 and UK GDPR
The UK has retained the GDPR requirements under the UK Data Protection Act 2018 and the UK GDPR following its exit from the European Union. Affinitext maintains equivalent compliance with UK data protection requirements.
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) & Quebec Law 25
Key Requirements:
- Consent: Explicit consent is required for the collection, use, or disclosure of personal information.
- Breach Notification: Mandatory reporting to the Privacy Commissioner of Canada and affected individuals if a breach creates a "real risk of significant harm."
- Access Rights: Individuals have the right to access their personal information and challenge its accuracy.
- Quebec Law 25: Imposes stricter requirements similar to GDPR, including mandatory Privacy Impact Assessments (PIAs) for data transfers outside Quebec and the appointment of a Privacy Officer.
Proposed Consumer Privacy Protection Act (CPPA) - Canada:
Affinitext is monitoring Canada's proposed CPPA, which would replace PIPEDA and strengthen privacy obligations, including data portability rights and increased penalties.
United States

The United States has a sectoral approach to data privacy with multiple applicable laws. For example:
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Affinitext supports customer compliance with CCPA requirements regarding consumer rights: right to know, right to delete, right to opt-out of sale/sharing, and right to limit use.
- CPRA enhancements (effective 2023) include additional rights, including correction, non-discrimination, and automated decision-making restrictions.
- We maintain detailed records of data collection and processing activities to support customer disclosure obligations.

United Arab Emirates (UAE): Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)
Key Requirements:
Consent: Processing generally requires consent, with specific exceptions (e.g., performance of a contract, public interest).
Data Subject Rights: Includes the right to access, request correction, restriction of processing, and deletion of personal data.
Cross-Border Transfers: Transfers to countries with "adequate" protection are permitted; otherwise, specific safeguards must be implemented.
DPO: Appointment of a Data Protection Officer is mandatory for certain high-risk processing activities.
Saudi Arabia: Personal Data Protection Law (PDPL)
The Saudi Arabia PDPL became fully enforceable in 2024 and applies to all organizations processing personal data of Saudi Arabia residents.
Key PDPL Requirements Affinitext Supports:
- Data Protection Officer: Available for consultation on PDPL compliance matters.
- Consent: Explicit consent for personal data processing.
- Data Subject Rights: Access, correction, deletion, and data portability rights.
- Data Localization: Support for customer data residency in KSA data centres (Jeddah).
- Local Representation: Cooperation with Saudi regulatory authorities.
India: Digital Personal Data Protection Act (DPDPA)
India's DPDPA was adopted in 2023 and became effective in 2025, establishing comprehensive data protection requirements.
Key DPDPA Requirements:
- Lawful Basis: Explicit consent required for personal data processing.
- Data Subject Rights: Access, correction, deletion, and portability.
- Children's Data: Enhanced protections for data subjects under 18 years old.
- Grievance Redressal: Support for user grievance mechanisms.
Australia: Privacy Act (2024 Amendments)
Australia's updated Privacy Act includes stronger breach notification requirements and enhanced protections for children's privacy.
Key Updates Affinitext Implements:
- Mandatory breach notification for eligible data breaches
- Stronger customer accountability for data security
- Enhanced children's privacy protections
- Stricter consent requirements
Other Major Jurisdictions
Affinitext recognizes and supports compliance with data protection laws across additional jurisdictions including:
- Singapore: Personal Data Protection Act (PDPA)
- Japan: Act on the Protection of Personal Information (APPI)
- South Korea: Personal Information Protection Act (PIPA)
- Thailand: Personal Data Protection Act (PDPA)
- Malaysia: Personal Data Protection Act (PDPA)
- New Zealand: Privacy Act 2020
- Argentina: Personal Data Protection Act
- Uruguay: Data Protection Law
- Mexico: Federal Law for the Protection of Personal Data Held by Private Parties
- Chile: Law No. 21,719 (GDPR-modeled, enforcement from December 2026)
- Peru: Updated Data Protection Law (effective March 2025)
- Turkey: Law on the Protection of Personal Data (KVKK)
- Kenya, South Africa, Nigeria: National data protection acts
- Multiple African, Asian, and Latin American jurisdictions: Emerging data protection frameworks
Global Trends
As of 2025, approximately 71% of countries worldwide have implemented data protection legislation, with a further 9% actively drafting new laws. Affinitext continues to monitor emerging regulations and adapt our practices to ensure compliance across all jurisdictions where our customers operate.
Certifications and Compliance Verification
Customers can rely upon Affinitext's certifications and compliance status to conduct risk assessments and verify appropriate technical and organizational measures:
• ISO 27001-2022: Information Security Management System certification
• UK Cyber Essentials: UK Government-backed security standard
• UK Cyber Essentials Plus: Enhanced cyber security assessment
• UK Ministry of Defence (Official Sensitive): Defense-grade security accreditation
Copies of certifications can be obtained by submitting a request to data.protection@affinitext.com .
Product Features Supporting Global Compliance
Affinitext provides built-in features and tools to support customer compliance:
- Data Access Controls: Advanced permissions and role-based access control
- Audit Logging: Comprehensive audit trails of data access and processing
- Data Deletion: Tools for secure deletion and purging of user accounts, documents, and attachments
- Data Export: Functionality to export data in machine-readable formats (CSV, JSON)
- Encryption Options: End-to-end encryption and customer-controlled encryption keys
- Automated Compliance Reports: Generation of compliance documentation and breach logs
- GDPR Resources Library: Free GDPR library available at https://gdpr.affinitext.com/public
- Extended Compliance Library: Full compliance library with additional features available at https://www.affinitext.com/gdpr
Data Protection Officer and Contact Information
For data protection and compliance inquiries, customers and individuals may contact:
Email: data.protection@affinitext.com
Inquiries: We respond promptly to data subject access requests, compliance questions, and privacy concerns, always well before the applicable statutory timeframe (typically 30 days for access requests in most jurisdictions).
Accountability and Continuous Improvement
Affinitext maintains a commitment to:
- Documentation: Maintain detailed records of data processing activities and compliance measures
- Training: Provide regular training to staff on data protection and security practices
- Incident Response: Maintain and regularly test incident response plans
- Policy Review: Review and update this policy annually and whenever significant regulatory changes occur
- Third-Party Oversight: Engage independent security auditors and assessors to validate compliance.
- Customer Feedback: Continuously improve our services based on customer and regulatory feedback

Get in touch

We’re here to help. If you have any questions or need support, contact us today.
Let's talk

Request a demo

Discover how our platform can conquer your complex contracts and deliver immediate value.
Request a demo

Conquer contract
complexity

Use of the website
By utilising this website, you accept the Terms of Use and the Cookie Policy for this website.
Privacy PolicyData Security and GDPR Policy
© 2026 Affinitext. All rights reserved.