Product
How it works Identify Qualify Book Sync Follow up Integrations Security & GDPR
Solutions
By Department
Sales Marketing Customer Success Product Executive RevOps
By Industry
SaaS Consulting Expert Services Financial Services IT Services B2B Ecommerce
Pricing
Resources
All resources Blog Customer stories Guides ROI calculator Comparisons
Company
About Team Careers Facts Contact Sign in
Legal
Terms of Service Privacy Policy Data Processing Agreement Acceptable Use Policy Cookie & Storage Policy End-User Privacy Notice Security Overview Subprocessor List
REQUEST A DEMO GET STARTED
Security & GDPR

Is Cloop GDPR-compliant and secure for EU B2B data?

Cloop stores all customer data in Helsinki, Finland, never trains AI on your conversations, and operates entirely within the EU under a standard Data Processing Agreement.

Get started Request a demo

Last updated: April 2026

The short answer

Yes. Cloop is fully GDPR-compliant and operates entirely within the EU. Customer data is hosted on Hetzner Online GmbH infrastructure in Helsinki, Finland (fi-hel-1 zone). AI inference runs on Nebius B.V. in the Netherlands — a European AI provider that contractually prohibits training on customer data. ROFFI Oy (Business ID 3500046-5) is the EU-based data controller. Customers receive a standard DPA, a published subprocessor list, and SSO via Microsoft Entra ID, Google Workspace, or SAML 2.0.

Our commitments

Does Cloop train AI models on customer conversations?

No. Cloop contractually prohibits training AI models on customer conversation data. This prohibition is in the standard Data Processing Agreement (DPA) and applies to both Cloop and the AI inference provider (Nebius B.V.). Three non-negotiable commitments follow.

🇪🇺

EU-only data residency

All data stored and processed on Hetzner infrastructure in Helsinki, Finland. No transfers outside the EU/EEA — ever.

🚫

We never train AI on your data

Your customer conversations, CRM data, and visitor information are never used to train AI models — ours or anyone else's. Nebius AI Studio, our inference provider, confirms this contractually.

📋

Transparent security

Every detail of our infrastructure, subprocessors, and processing is public. Read the Security Overview, DPA, and Subprocessor List — nothing is hidden.

Data residency

Where is Cloop customer data stored?

All Cloop customer data is stored in Helsinki, Finland, on Hetzner Online GmbH infrastructure (fi-hel-1 zone). No production data leaves the EU under any circumstance. For EU buyers, data residency is a compliance requirement — Cloop was architected EU-first from day one.

🇫🇮
Primary data center
Helsinki, Finland · Hetzner
Application servers
Hetzner, Helsinki (hel1)
Database
Self-managed PostgreSQL on Hetzner VPS
Object storage
Hetzner S3-compatible, Helsinki
AI inference
Nebius B.V., EU data centers
Vector search
Local on our server (pgvector) — no external calls
Backups
Daily, stored within EU (Helsinki)
Compliance

Is Cloop compliant with Schrems II?

Yes. Cloop operates entirely within the EU — no data transfers to the US or other non-adequate jurisdictions. Hetzner is EU-based, Nebius is EU-based, and ROFFI Oy is EU-based. Schrems II concerns about EU-US data transfers do not apply. Our security program also runs to ISO 27001, SOC 2, and ISO 42001 requirements — formal certifications are on our 2026–2027 roadmap.

Compliant

GDPR

Finnish company directly subject to EU data protection law. Full DPA available. All data subject rights supported.

View DPA →
Process compliant · Cert. 2026

ISO 27001

Our information security management system is built to ISO 27001 standards. Formal certification planned for 2026.

Process compliant · Cert. 2026–2027

SOC 2

Controls and processes align with SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). Type I audit planned for 2026.

Process compliant · Cert. 2027

ISO/IEC 42001:2023

AI management system standard. We run our AI governance to the ISO 42001 framework — one of few European B2B tools doing so.

Compliant

ePrivacy Directive

Widget uses localStorage (not cookies) for visitor identification. No ad trackers, no fingerprinting.

Compliant

Finnish data protection law

Registered Finnish company (Business ID 3500046-5), directly supervised by the Finnish Data Protection Ombudsman.

Technical security

What security engineering practices does Cloop use?

Cloop runs six layers of engineering controls — encryption, authentication, authorization, input validation, rate limiting, and audit logging — with SSO via Microsoft Entra ID, Google Workspace, and SAML 2.0 supported on Team plans. Security isn't a checkbox added at the end — it's in every layer, from network to application to AI.

🔒 Encryption

  • TLS 1.2+ for all connections, HSTS enforced
  • Full-disk encryption at rest (Hetzner VPS)
  • Encrypted backups in EU

🔐 Authentication

  • OAuth 2.0 / OpenID Connect
  • Google, GitHub, Microsoft sign-in
  • JWT tokens in Authorization headers
  • No session cookies = no CSRF attack surface

🛡️ Authorization

  • Multi-tenant isolation: every query scoped by tenant ID
  • Role-based access (Owner, Admin, Member)
  • Feature gating enforced at API level
  • Per-site widget embed tokens

⚙️ Input validation

  • Parameterized queries (no SQL injection)
  • SSRF protection in web crawler
  • Content-type and size validation on uploads
  • Widget sanitizes all rendered content (no XSS)

🚦 Rate limiting

  • Multi-tier sliding window limits per IP
  • Separate budgets per tenant
  • Daily AI cost cap prevents runaway use

📝 Audit logging

  • Structured JSON logs for auth events
  • Site-level change tracking
  • 12-month retention for audit trail
AI security

How AI actually sees your data.

We're explicit about what crosses the AI provider boundary — and what stays on our servers.

Stays on our EU servers
  • Visitor email addresses and identifiers
  • Account credentials and internal metadata
  • Data from other tenants (multi-tenant isolation)
  • Vector embeddings and similarity search (runs locally via pgvector)
  • Session state, lead records, analytics
Sent to Nebius AI (EU)
  • Visitor's message text (current turn)
  • Relevant content chunks from your knowledge base
  • System instructions (language, persona, phase)
  • Recent conversation context (current session)
Nebius processes transiently — input/output not stored after response. Contractually excluded from model training.
Your data, your rights

Full GDPR rights, fully supported.

Every right guaranteed by GDPR Articles 15–22 is implemented in Cloop — not just promised in a policy.

Article 15

Right of access

Export your data from the dashboard anytime, or email privacy@cloop.io.

Article 16

Right to rectification

Edit your profile and settings directly in the dashboard.

Article 17

Right to erasure

Delete your account in the dashboard — all data removed within 30 days.

Article 18

Right to restrict

Pause processing of specific data by contacting privacy@cloop.io.

Article 20

Right to portability

Request a machine-readable export of all your data.

Article 21

Right to object

Object to processing based on legitimate interest anytime.

We respond to all data subject requests within 30 days (extendable to 90 for complex requests, with notice).

Incident response

Small team, direct process, fast response.

When something goes wrong, you'll hear from us fast — by phone for critical incidents, by email always.

0 min

Detection

Monitoring alerts, log anomalies, or customer report triggers immediate investigation.

Within 1 hr

Customer notification begins

For critical incidents affecting your data, we call account owners by phone. Email follows immediately.

Within 48 hr

Formal breach notification (DPA)

If a data breach is confirmed, full details — nature, scope, impact, mitigation — delivered per DPA requirements.

72 hr

Regulator notification (if required)

We notify the Finnish Data Protection Ombudsman per GDPR Article 33 where applicable.

Subprocessors

Who are Cloop's subprocessors?

Most B2B SaaS uses 15–30 subprocessors. We use three — and every one is in Europe.

Hetzner Online GmbH

Helsinki, Finland 🇫🇮

Infrastructure provider — servers, database hosting, object storage.

Nebius B.V.

Netherlands 🇳🇱

AI inference — embedding generation and LLM response generation. Transient processing, no training.

Let's Encrypt

Global (ISRG)

TLS certificate issuance. Processes domain names only — no personal data.

What we do NOT use

No Google Analytics · No Cloudflare · No Sentry · No Intercom · No Mailchimp · No ad trackers · No CDN · No fingerprinting

View full Subprocessor List with DPA references →

Security review

Evaluating Cloop for your organization?

Your security team needs specifics. Everything they need is either on this page or one link away.

Security Overview

Full technical detail: infrastructure, application security, AI architecture, incident response.

Read →

Data Processing Agreement

GDPR-compliant DPA. Sign-ready. Covers processing terms, subprocessors, breach notification.

Read →

Subprocessor List

Every third party that touches your data, with locations and safeguards.

Read →

Privacy Policy

Data collection, legal basis for each processing activity, retention periods.

Read →

Questions your docs can't answer? Email security@cloop.io — we respond within 24 hours.

Security that passes your procurement review.

Book a demo. We'll walk your security team through the stack directly — and send you whatever docs, SIG-Lite, or vendor questionnaire responses you need.

Book a demo