Security and privacy

Your data is protected — and stays yours

We work with customer, sales, and medical data. Responsibility is ours. Transparent rules, encryption, GDPR and Ukrainian personal data law compliance.

Core principles

These four pillars hold up everything we do with your data.

Data stays yours

You remain the sole owner of customer data. We are the data processor, not owner. Export or delete anytime.

Encryption everywhere

At-rest encryption (AES-256) in the database and in-transit (TLS 1.3) between all services. No plain channels.

Least privilege

Each service and team member gets access only to what they need for their work. No 'everyone sees everything'.

Transparent audit

Every action is logged: who logged in when, what changed, what messages were sent. Logs kept for 90 days.

Where your data lives

Hosting — Hetzner (Germany) or Ukrainian data center on request. Data never leaves EU/Ukraine.

Database

PostgreSQL 16 on isolated server. Disk encryption, daily backups, separate network without public access.

Integrations

Telegram, Instagram, WhatsApp — via official APIs. Webhooks protected with HMAC signatures. No plain passwords.

AI processing

Anthropic Claude API — without prompt logging. Whisper for voice transcription — in-memory, no logs.

Backups

Daily automated backups, 30-day retention. Test restore monthly. RPO 24 hours, RTO 4 hours.

What we do NOT do with your data

We do not sell to third parties

No ad networks, no analytics brokers. Your data is for your business.

We do not train models

AI models (Claude, Whisper) are not fine-tuned on your data. We use APIs without training opt-in.

We do not store passwords in plaintext

Bcrypt for CMS passwords, OAuth tokens stored encrypted. Production access — only via SSH keys.

We do not share without your consent

If we receive a government request — we notify you (where legally permitted) before any data transfer.

Standards compliance

The norms we follow daily.

GDPR (EU)

Right to access, correct, delete, port. Consent for processing. DPO contact. Response window 30 days.

Ukrainian Personal Data Law

Database registration with the Commissioner. Subject consent. Defined scope and retention.

Medical data (for clinics)

Separate access tier. Logging of every action with patient records. Stricter backup requirements.

Payment data

We do not store CVV or full card numbers. Integration with payment providers via tokenization (LiqPay, WayForPay, Stripe).

What you get from day one

Contract with NDA

Before work starts — contract signature with confidentiality clause. Sample sent before our first call.

DPA (Data Processing Agreement)

Separate GDPR-compliant data processing agreement. Defines roles (controller/processor), purposes, terms.

Data export 24/7

Request a database dump or CSV/JSON export anytime. No limits, no lock-ins.

Self-hosting option

If needed — we deploy the system on your servers. You hold all data in your infrastructure, we provide support.

Common questions

What people ask about security

Transparent answers to the technical questions we hear most.

Only you (as owner) and a limited number of our engineers for technical support. Every access is logged. Engineers signed NDA. Production access — via SSH keys with multi-factor auth.

Default — Hetzner (Germany, EU jurisdiction, GDPR). On request — Ukrainian data center. Data never leaves EU/Ukraine.

No. Anthropic Claude API works without prompt logging (zero retention). Whisper for voice — in-memory processing without audio storage. We only keep what you need in CRM.

We export everything in your chosen format (CSV, JSON, SQL dump). Delete from our infrastructure within 30 days. Confirm with deletion certificate.

Yes. Internal audit monthly. Penetration testing annually. Logs kept 90 days. On request — incident report and security measures summary.

Admin panel has 'Delete customer' button — wipes all personal data from CRM, conversation history, backups. Response within 30 days per GDPR. We help configure the process.

Yes. Self-hosting is available for plans from €1500/month. We deploy on your infrastructure (AWS, GCP, on-premise). Support and updates — ours, control over data — yours.

HIPAA does not apply in Ukraine, but we follow its principles for medical clients: stronger encryption, separate roles, access logging, mandatory DPA, audit logs.

Contact

You Don't Have to Decide Anything Right Now

Just 20 minutes of conversation — and you'll know exactly: how many clients you're losing, what can be automated, how much it costs. Maybe it's too early for you — and we'll honestly say so.

Telegram bot

Book in 1 minute

The bot instantly finds a consultation slot

Personal Telegram

@taras_tkv

Message the founder directly

Worldwide

Remote-first

We work from anywhere

Email

info@mtdk-ai.com

Drop us an email

Want to see our
security policy?

We send the full documentation for free: contract, DPA, infrastructure description, DPO contacts.