Is Cloop GDPR-compliant and secure for EU B2B data?
Cloop stores all customer data in Helsinki, Finland, never trains AI on your conversations, and operates entirely within the EU under a standard Data Processing Agreement.
Last updated: April 2026
In one sentence
Cloop is GDPR-compliant and EU-only by architecture, data in Helsinki, inference in the Netherlands, no training on your data, with DPA, sub-processor list, and SSO included in every plan.
Hetzner Helsinki ยท Nebius Netherlands ยท ROFFI Oy as EU data controller
Does Cloop train AI models on customer conversations?
No. Cloop contractually prohibits training AI models on customer conversation data. This prohibition is in the standard Data Processing Agreement (DPA) and applies to both Cloop and the AI inference provider (Nebius B.V.). Three non-negotiable commitments follow.
EU-only data residency
All data stored and processed on Hetzner infrastructure in Helsinki, Finland. No transfers outside the EU/EEA, ever.
We never train AI on your data
Your customer conversations, CRM data, and visitor information are never used to train AI models, ours or anyone else's. Nebius AI Studio, our inference provider, confirms this contractually.
Transparent security
Every detail of our infrastructure, subprocessors, and processing is public. Read the Security Overview, DPA, and Subprocessor List, nothing is hidden.
Where is Cloop customer data stored?
All Cloop customer data is stored in Helsinki, Finland, on Hetzner Online GmbH infrastructure (fi-hel-1 zone). No production data leaves the EU under any circumstance. For EU buyers, data residency is a compliance requirement, Cloop was architected EU-first from day one.
Is Cloop compliant with Schrems II?
Yes. Cloop operates entirely within the EU, no data transfers to the US or other non-adequate jurisdictions. Hetzner is EU-based, Nebius is EU-based, and ROFFI Oy is EU-based. Schrems II concerns about EU-US data transfers do not apply. Our security program also runs to ISO 27001, SOC 2, and ISO 42001 requirements, formal certifications are on our 2026โ2027 roadmap.
GDPR
Finnish company directly subject to EU data protection law. Full DPA available. All data subject rights supported.
View DPA โISO 27001
Our information security management system is built to ISO 27001 standards. Formal certification planned for 2026.
SOC 2
Controls and processes align with SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). Type I audit planned for 2026.
ISO/IEC 42001:2023
AI management system standard. We run our AI governance to the ISO 42001 framework, one of few European B2B tools doing so.
ePrivacy Directive
Widget uses localStorage (not cookies) for visitor identification. No ad trackers, no fingerprinting.
Finnish data protection law
Registered Finnish company (Business ID 3500046-5), directly supervised by the Finnish Data Protection Ombudsman.
What security engineering practices does Cloop use?
Cloop runs six layers of engineering controls, encryption, authentication, authorization, input validation, rate limiting, and audit logging, with SSO via Microsoft Entra ID, Google Workspace, and SAML 2.0 supported on Team plans. Security isn't a checkbox added at the end, it's in every layer, from network to application to AI.
๐ Encryption
- TLS 1.2+ for all connections, HSTS enforced
- Full-disk encryption at rest (Hetzner VPS)
- Encrypted backups in EU
๐ Authentication
- OAuth 2.0 / OpenID Connect
- Google, GitHub, Microsoft sign-in
- JWT tokens in Authorization headers
- No session cookies = no CSRF attack surface
๐ก๏ธ Authorization
- Multi-tenant isolation: every query scoped by tenant ID
- Role-based access (Owner, Admin, Member)
- Feature gating enforced at API level
- Per-site widget embed tokens
โ๏ธ Input validation
- Parameterized queries (no SQL injection)
- SSRF protection in web crawler
- Content-type and size validation on uploads
- Widget sanitizes all rendered content (no XSS)
๐ฆ Rate limiting
- Multi-tier sliding window limits per IP
- Separate budgets per tenant
- Daily AI cost cap prevents runaway use
๐ Audit logging
- Structured JSON logs for auth events
- Site-level change tracking
- 12-month retention for audit trail
How AI actually sees your data.
We're explicit about what crosses the AI provider boundary, and what stays on our servers.
- Visitor email addresses and identifiers
- Account credentials and internal metadata
- Data from other tenants (multi-tenant isolation)
- Vector embeddings and similarity search (runs locally via pgvector)
- Session state, lead records, analytics
- Visitor's message text (current turn)
- Relevant content chunks from your knowledge base
- System instructions (language, persona, phase)
- Recent conversation context (current session)
Full GDPR rights, fully supported.
Every right guaranteed by GDPR Articles 15โ22 is implemented in Cloop, not just promised in a policy.
Right of access
Export your data from the dashboard anytime, or email privacy@cloop.io.
Right to rectification
Edit your profile and settings directly in the dashboard.
Right to erasure
Delete your account in the dashboard, all data removed within 30 days.
Right to restrict
Pause processing of specific data by contacting privacy@cloop.io.
Right to portability
Request a machine-readable export of all your data.
Right to object
Object to processing based on legitimate interest anytime.
We respond to all data subject requests within 30 days (extendable to 90 for complex requests, with notice).
Small team, direct process, fast response.
When something goes wrong, you'll hear from us fast, by phone for critical incidents, by email always.
Detection
Monitoring alerts, log anomalies, or customer report triggers immediate investigation.
Customer notification begins
For critical incidents affecting your data, we call account owners by phone. Email follows immediately.
Formal breach notification (DPA)
If a data breach is confirmed, full details, nature, scope, impact, mitigation, delivered per DPA requirements.
Regulator notification (if required)
We notify the Finnish Data Protection Ombudsman per GDPR Article 33 where applicable.
Who are Cloop's subprocessors?
Most B2B SaaS uses 15โ30 subprocessors. We use three, and every one is in Europe.
Hetzner Online GmbH
Infrastructure provider, servers, database hosting, object storage.
Nebius B.V.
AI inference, embedding generation and LLM response generation. Transient processing, no training.
Let's Encrypt
TLS certificate issuance. Processes domain names only, no personal data.
No Google Analytics ยท No Cloudflare ยท No Sentry ยท No Intercom ยท No Mailchimp ยท No ad trackers ยท No CDN ยท No fingerprinting
Evaluating Cloop for your organization?
Your security team needs specifics. Everything they need is either on this page or one link away.
Security Overview
Full technical detail: infrastructure, application security, AI architecture, incident response.
Read โData Processing Agreement
GDPR-compliant DPA. Sign-ready. Covers processing terms, subprocessors, breach notification.
Read โSubprocessor List
Every third party that touches your data, with locations and safeguards.
Read โPrivacy Policy
Data collection, legal basis for each processing activity, retention periods.
Read โQuestions your docs can't answer? Email security@cloop.io, we respond within 24 hours.
Security that passes your procurement review.
Request a demo. We'll walk your security team through the stack directly, and send you whatever docs, SIG-Lite, or vendor questionnaire responses you need.
Request a demo