Security program

Data Security

Last updated: 21.03.2026

At Liro I/S, we implement technical and organizational measures designed to protect personal data and ensure a high level of security across our platform.

Our security approach is based on industry best practices across infrastructure, application development, and data protection, and is continuously reviewed and improved.

Infrastructure and Hosting

Our infrastructure is hosted within the European Union using trusted cloud providers:

  • Supabase (database infrastructure)
  • Amazon Web Services (AWS, EU-North-1 – Stockholm)

We leverage enterprise-grade cloud infrastructure with built-in redundancy, physical security, and high availability.

Infrastructure is continuously maintained and updated to ensure a secure and resilient environment.

Data Protection and Encryption

All data is protected using industry-standard encryption mechanisms:

  • Encryption in transit using TLS (HTTPS)
  • Encryption at rest within our database and storage systems

Sensitive data is handled with strict controls to ensure confidentiality and integrity throughout its lifecycle.

Access Control and Data Isolation

Access to systems and data is strictly controlled and limited to authorized users only.

We implement:

  • Role-based access control (RBAC)
  • Row Level Security (RLS) at database level
  • Principle of least privilege across internal systems

Customer data is logically isolated in a multi-tenant architecture, ensuring that each organization can only access its own data.

Access rights are reviewed regularly and adjusted when no longer required.

Application Security

We follow secure development practices throughout the software lifecycle.

This includes:

  • Input validation and output sanitization
  • Protection against common web vulnerabilities (e.g. XSS, injection, CSRF)
  • Secure session management
  • Controlled error handling to prevent information leakage

We continuously review and improve our codebase to reduce security risks.

API and System Security

All system interactions are protected through secure APIs and controlled access mechanisms.

We apply:

  • Authentication and authorization for all API access
  • Rate limiting and abuse prevention mechanisms
  • Validation of incoming and outgoing data

These measures help prevent unauthorized access and misuse of the platform.

Monitoring, Logging, and Detection

We maintain continuous monitoring and logging across our infrastructure and application layers.

This includes:

  • Real-time monitoring of system activity
  • Logging of access, authentication events, and system changes
  • Detection of unusual or suspicious behavior

These systems allow us to identify, investigate, and respond to potential security threats quickly.

Incident Response

We maintain procedures for detecting, investigating, and responding to security incidents.

In the event of a data breach or security incident, we:

  • Act promptly to contain and mitigate the issue
  • Assess the impact on affected systems and users
  • Notify affected parties and relevant authorities in accordance with applicable laws

We continuously improve our incident response processes based on learnings and evolving risks.

Backup and Disaster Recovery

We implement secure and automated backup mechanisms to ensure data durability and availability.

Our approach includes:

  • Regular backups of critical data
  • Protection of backup data
  • Recovery procedures designed to restore data in case of failure

Our infrastructure is designed to minimize downtime and ensure service continuity.

Data Protection and Privacy Controls

We apply data protection principles throughout our platform:

  • Data minimization (only necessary data is processed)
  • Purpose limitation (data used only for defined purposes)
  • Configurable data retention and deletion

Businesses using Liro can control how long data is stored, and data is automatically deleted or anonymized based on these settings.

AI and Data Usage

We use AI systems to generate responses within the platform.

  • Customer data is not used to train external AI models
  • AI operates within controlled environments
  • Responses are assistive and require human oversight

We implement safeguards to reduce misuse and ensure responsible AI usage.

Subprocessors and Third-Party Security

We rely on a limited number of trusted subprocessors, including:

  • Supabase
  • Amazon Web Services (AWS)
  • OpenAI

All subprocessors are subject to Data Processing Agreements (DPAs) and are evaluated to ensure compliance with data protection standards.

Where data is processed outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses (SCCs) are applied.

Compliance

Liro I/S operates in accordance with applicable data protection laws and frameworks, including:

  • GDPR (General Data Protection Regulation)
  • EU AI Act

We follow established security and privacy practices aligned with modern SaaS standards.

Legal Basis for Processing

Liro I/S processes personal data only where a valid legal basis exists under the GDPR, ensuring that all processing activities are lawful, fair, and transparent.

Processing is primarily based on:

  • Contractual necessity (Art. 6(1)(b)), where processing is required to deliver and operate our services
  • Legitimate interests (Art. 6(1)(f)), including maintaining platform security, improving product performance, and enabling effective customer support

We ensure that all processing is necessary, proportionate, and aligned with the rights and expectations of individuals.

Conversation Data and Retention

As part of our services, Liro I/S stores customer support conversations in order to provide full platform functionality.

These conversations may contain personal data such as email addresses, order information, and other details provided by end-users during support interactions.

The purpose of storing conversation data includes:

  • Enabling businesses to access historical conversations
  • Providing analytics and insights based on past interactions
  • Allowing support teams to follow up on unanswered conversations
  • Preserving context to ensure accurate and relevant responses

Without storing conversation data, these core features would not be possible.

Businesses using Liro have full control over data retention settings directly within the application. They can choose how long conversation data is stored, including:

  • 30 days
  • 60 days
  • 90 days
  • 6 months
  • 1 year
  • Indefinitely

Data is automatically deleted or anonymized in accordance with the selected retention period.

Data Subject Rights

Individuals whose personal data is processed by Liro I/S have the following rights under the GDPR:

  • The right to access their personal data
  • The right to have inaccurate data corrected (rectification)
  • The right to have their data deleted (erasure)
  • The right to restrict processing
  • The right to object to processing
  • The right to receive their data in a structured, commonly used format (data portability)

Requests related to these rights can be made by contacting us directly, and we will respond in accordance with applicable data protection laws.

Contact

For security-related inquiries or reporting potential vulnerabilities: contact@liro.dk

GDPR compliantEU AI Act