Data Controller & Legal Basis
Kortave is operated from Hungary ("Kortave", "we", "us") and is subject to EU and Hungarian data protection law. Our registered entity details are set out in the Data Processing Agreement executed with each client and are available on request at privacy@kortave.eu.
Kortave operates in a dual capacity: (i) as a data processor under GDPR Article 28 when handling personal data contained in Client Data on behalf of its clients (data controllers) — in which capacity Kortave acts exclusively on the documented instructions of the data controller; and (ii) as an independent data controller in respect of account management, billing records, security logs, and platform analytics collected directly in the course of Kortave's own commercial operations. A Data Processing Agreement (DPA) is executed with every client prior to any processing activity commencing.
For data processed in Kortave's capacity as a controller, the lawful bases relied upon are: performance of contract (Art. 6(1)(b)) for service delivery to the contracting party; legitimate interests (Art. 6(1)(f)) for security monitoring, fraud prevention, and service analytics; and legal obligation (Art. 6(1)(c)) for records required by applicable Hungarian and EU law.
Kortave has assessed its obligations under GDPR Article 37. A designated data protection contact is reachable at privacy@kortave.eu for all data protection enquiries pending formal DPO designation where required.
We do not sell, rent, licence, or otherwise monetise personal data in any form. We do not use Client Data to train AI models without the client's explicit written contractual consent.
Read our Data Processing Agreement →Request a countersigned copy → privacy@kortave.euData Residency & Infrastructure
All Client compliance data and personal data processed as part of Kortave's core services is stored and persisted exclusively within the European Economic Area. Our primary infrastructure runs on Cloudflare's Nuremberg, Germany datacenter cluster, which holds ISO 27001, SOC 2 Type II, and PCI DSS certifications. CDN edge processing by Cloudflare may traverse Cloudflare's global Anycast network at the network layer; data-at-rest remains within the EEA.
Payment and billing data is processed by Paddle.com Market Ltd. (United Kingdom), which benefits from the EU-UK adequacy decision adopted under GDPR Art. 45, as currently in force. Kortave does not store, process, or transmit payment card data.
Data in transit between clients and our services is encrypted with TLS 1.3. Legacy protocols (TLS 1.0, TLS 1.1, SSLv3) are explicitly disabled at the network edge. Data at rest is encrypted using AES-256. All public-facing and internal service endpoints are served exclusively over TLS; HTTP requests are redirected to HTTPS at the edge.
Where personal data is transferred to sub-processors located in third countries outside the EEA (including AI model providers and transactional email services located in the United States), such transfers are governed by Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914. A Transfer Impact Assessment (TIA) is conducted and maintained on file for each such transfer.
Primary infrastructure
Hetzner Nuremberg (EEA)
TLS version
TLS 1.3 enforced
Encryption at rest
AES-256
Third-country transfers
Adequacy decision or SCCs only
Sub-Processors
The following sub-processors are authorised to process personal data on behalf of Kortave and its clients pursuant to GDPR Article 28(2). All sub-processors are bound by data processing agreements that comply with GDPR Article 28(3). Kortave will provide clients with not less than 30 days' prior written notice of any intended addition or substitution of sub-processors, affording clients the right to object on data protection grounds. Where an AI sub-processor processes data located in a third country, such processing is governed by Standard Contractual Clauses and a Transfer Impact Assessment.
| Processor | Purpose | Data location | Certifications |
|---|---|---|---|
Hetzner Online GmbH | Primary application hosting and server infrastructure | Nuremberg, Germany (EEA) | ISO 27001 · GDPR Art. 28 DPA |
Supabase, Inc. | Managed database for operational and prospect data | EU region (EEA-hosted project) | SOC 2 Type II · GDPR Art. 28 DPA |
Cloudflare, Inc. | Infrastructure, CDN, WAF, DDoS protection, network security | Nuremberg, Germany (EEA) | ISO 27001 · SOC 2 Type II · PCI DSS |
Paddle.com Market Ltd. | Payment processing, billing, merchant of record | London, UK (adequacy decision) | PCI DSS Level 1 |
Anthropic PBC | AI language model processing for compliance automation (Claude) | United States (SCCs + TIA in place) | SOC 2 Type II · GDPR Art. 28 DPA |
Resend Inc. | Transactional email delivery — system notifications, compliance alerts, account communications | United States (SCCs + TIA in place) | GDPR Art. 28 DPA in place |
All sub-processors are bound by GDPR Art. 28-compliant data processing agreements. Kortave will notify clients of any intended addition or replacement of sub-processors not less than 30 days before the change takes effect, affording clients the opportunity to object. Last updated: May 2026.
Data Retention & Deletion
Client data is retained for the duration of the active subscription. Upon termination of the service relationship, clients have 30 days to export their data using the self-service export tools provided. After this window, all personal data is permanently deleted from production systems.
Encrypted backup snapshots are retained for 90 days following deletion from production, after which they are cryptographically purged from all storage media. Audit logs are retained for 12 months to satisfy security monitoring obligations.
Financial records and invoices are retained for 8 years from the end of the relevant financial year in accordance with the Hungarian Accounting Act (Act C of 2000, § 169(2)). Kortave will never hold personal data beyond what is legally required or operationally necessary.
Active subscription
Retained in full
30 days post-termination
Export window open
90 days post-deletion
Encrypted backups only
12 months
Audit logs retained
8 years
Financial records (Hungarian Accounting Act)
Your Rights as a Data Subject
Under GDPR Chapter III, you hold the following rights with respect to personal data we process. To exercise any of these rights, contact privacy@kortave.eu. We will acknowledge your request within 5 working days and respond substantively within 30 days.
Right of access
Request a copy of the personal data we hold about you and information on how it is processed.
Right to rectification
Have inaccurate or incomplete personal data corrected without undue delay.
Right to erasure
Request deletion of your personal data where it is no longer necessary for the purpose it was collected.
Right to restriction
Restrict how we process your data in specific circumstances, for example while a dispute is resolved.
Right to portability
Receive your data in a structured, commonly used, machine-readable format and transfer it to another controller.
Right to object
Object to processing based on legitimate interests or for direct marketing purposes at any time.
Automated decisions
Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Supervisory authority
Lodge a complaint with the NAIH (Hungary) or your local national DPA at any time, without prejudice to any other remedy.
Incident Response & Breach Notification
Kortave operates a structured incident response programme aligned with GDPR Articles 33 and 34. In the event of a personal data breach affecting data processed on behalf of clients, Kortave will notify the affected client (as data controller) without undue delay — and in any event within 72 hours of Kortave becoming aware of the breach — in accordance with GDPR Art. 33(2), thereby enabling the client to fulfil its own supervisory authority notification obligations where required. Where Kortave processes data in its own capacity as a data controller (e.g. account and billing data), Kortave will directly notify the competent supervisory authority (NAIH, Hungary) within 72 hours pursuant to GDPR Art. 33(1).
Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, affected individuals will be notified without undue delay in accordance with GDPR Art. 34. Notification will not be required if the breached data is encrypted in a manner that renders it unintelligible to unauthorised parties (Art. 34(3)(a)).
Affected clients will receive a formal incident report within 14 calendar days of breach confirmation, documenting: the nature and classification of the breach; the categories and approximate volume of personal data and data subjects affected; the likely consequences; the remediation measures taken or proposed; and preventative measures implemented to reduce recurrence.
Kortave maintains continuous automated threat monitoring via Cloudflare's security stack and internal detection tooling. Incident response procedures are reviewed and updated annually, and validated through structured tabletop simulation exercises.
Supervisory authority notification
72 hours · GDPR Art. 33
Affected individual notification
Without undue delay · Art. 34
Client incident report
Within 14 days
Threat monitoring
24/7 automated
AI & Automated Processing Disclosure
Kortave uses AI and automated processing — including third-party large language models (Anthropic Claude) — to deliver compliance automation services. We clearly identify AI-assisted outputs within the platform. No compliance output produced by Kortave is intended to be submitted to a regulatory authority or relied upon in a legal context without independent human review by your team.
Kortave's AI functionality does not fall within the high-risk categories enumerated in EU AI Act Annex III. No AI output is used to make decisions about natural persons that fall within the high-risk use cases specified in that Annex. Kortave operates as a deployer of General Purpose AI models (EU AI Act Title VIII) and applies appropriate transparency and human oversight measures commensurate with that classification.
You retain the right under GDPR Article 22 not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Any automated compliance output produced by Kortave can be reviewed, challenged, corrected, and overridden by your designated team members at any time through the platform interface.
Where EU AI Act transparency obligations apply to Kortave's operations, including under Art. 50 regarding AI-generated content, Kortave complies with those obligations. Regulatory guidance from the AI Office is monitored and incorporated into operational procedures as applicable.
EU AI Act classification
Kortave's AI functionality does not fall within the high-risk categories of EU AI Act Annex III. Kortave operates as a deployer of General Purpose AI models (Title VIII). AI-generated outputs are identified within the platform. Human review is available for all compliance decisions.
Infrastructure Security
Our infrastructure is protected by Cloudflare's enterprise-grade security stack, including Web Application Firewall (WAF) with OWASP Core Rule Set, automated DDoS mitigation up to Layer 7, rate limiting, bot management, and Zero Trust network access for internal services.
All internal service-to-service communication occurs over encrypted channels. No service exposes unencrypted HTTP endpoints. TLS certificates are issued by trusted Certificate Authorities and renewed automatically before expiry.
Cloudflare's Anycast network provides geographic redundancy across multiple EEA points of presence, with inherent resilience against volumetric attacks. Our infrastructure is covered by Cloudflare's ISO 27001, SOC 2 Type II, and PCI DSS certifications.
Application Security
Authentication is implemented using OAuth 2.0 / OpenID Connect via an established identity provider. Multi-factor authentication (MFA) is enforced for all user accounts. We do not build or maintain proprietary authentication infrastructure.
Authorisation follows Role-Based Access Control (RBAC). Users may only access data scoped to their own tenant. Cross-tenant data access is architecturally prevented at the database query level — not merely enforced by policy.
Application dependencies are scanned for known vulnerabilities on every build and on a weekly automated schedule. Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy) are enforced at the Cloudflare edge. Code undergoes review targeting OWASP Top 10 vulnerability classes during development.
Access Controls & Internal Security
Internal access to production systems follows the principle of least privilege. No engineer has standing access to production data. Access is granted on a time-limited, task-scoped basis with full audit logging for every action taken.
All Kortave personnel with access to systems processing personal data are bound by written confidentiality agreements. Multi-factor authentication is mandatory for all internal tooling, cloud console access, code repositories, and administrative interfaces.
All privileged actions in production environments are logged immutably and retained for 12 months. Anomalous access patterns trigger automated alerts. Client data is isolated at the database level — each tenant's data is logically and, where applicable, cryptographically separated from all other tenants.
Least privilege
No standing production access. Time-limited, scoped grants only.
MFA everywhere
All internal tooling, cloud consoles, and admin interfaces require MFA.
Immutable audit logs
All privileged actions logged for 12 months. Anomaly alerting in place.
Tenant isolation
Client data separated at the database level — logical and cryptographic isolation.
Confidentiality agreements
All personnel with data access bound by written NDAs.
ISO 27001-Aligned Controls
IMPORTANT: Kortave is not currently ISO 27001 certified. Formal certification by an accredited third-party certification body is in progress and targeted for 2026. The controls described in the table below are implemented against the ISO 27001:2022 standard framework and are subject to internal audit on a 12-month cycle. Kortave's primary infrastructure sub-processor, Cloudflare, Inc., holds active ISO 27001, SOC 2 Type II, and PCI DSS certifications. Clients in regulated sectors requiring certified processor status should note this disclosure prior to contracting.
ISO 27001:2022 control mapping
Organisational controls — information security policies, roles, and responsibilities
People controls — background verification, information security awareness and training
Physical controls — physical security perimeters, equipment security
User endpoint devices and privileged access rights
Secure authentication — MFA, access control policy
Configuration management and change management
Data leakage prevention — encryption, data masking
Logging and monitoring — audit log retention and review
Web filtering and application security controls
Security testing in development and acceptance — OWASP Top 10 coverage
Change management — production deployment controls
Information security event reporting and incident management
Kortave is not currently ISO 27001 certified. Formal certification by an accredited body is in progress, targeted for 2026. All controls listed above are implemented against ISO 27001:2022 and subject to internal audit on a 12-month cycle. Cloudflare, Inc. (Kortave's primary infrastructure sub-processor) holds active ISO 27001 certification.
Penetration Testing & Vulnerability Disclosure
Kortave is committed to annual third-party penetration testing of its platform and infrastructure. The first formal engagement is scheduled for Q3 2026. Findings are reviewed by the leadership team; critical and high-severity issues are remediated before the next test cycle begins.
We operate a responsible disclosure programme. If you discover a security vulnerability in Kortave's platform, please report it to security@kortave.eu with a description of the finding, steps to reproduce, and any supporting evidence. We aim to acknowledge reports within 2 business days and to provide a remediation timeline within 10 business days. We request that researchers refrain from disclosing the vulnerability publicly until Kortave has had a reasonable opportunity to investigate and remediate.
A formal public bug bounty programme is planned for Q3 2026. Details will be published on this page when the programme launches.
Report acknowledgement
2 business days
Remediation timeline
10 business days
Annual pentest
Q3 2026 (first engagement)
Bug bounty programme
Q3 2026 (planned)
Business Continuity
Our recovery targets are: Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for all critical services. These targets are reviewed annually and validated through simulated failure exercises.
Daily encrypted backups are taken of all persistent data stores and replicated across multiple geographic zones within the EEA. Backup integrity is verified through automated restore tests run on a weekly schedule. Backups are retained for 90 days.
Cloudflare's Anycast architecture provides inherent geographic redundancy. In the event of a datacenter-level failure, traffic is automatically routed to the nearest healthy node with no manual intervention required. Planned maintenance windows are communicated to clients at least 48 hours in advance, except where emergency security patching requires immediate deployment to address a critical vulnerability — in such cases Kortave will provide notice as soon as practicable.
RTO
4 hours
Recovery time objective
RPO
1 hour
Recovery point objective
Backups
Daily
Encrypted, 3-zone EEA
Backup retention
90 days
Then cryptographic purge
Payment Security
Kortave uses Paddle.com Market Ltd. as its Merchant of Record for all payment processing. Under this arrangement, Paddle is the data controller for all payment and billing data. Kortave never stores, processes, sees, or transmits payment card numbers, CVV codes, or full billing addresses.
Paddle holds PCI DSS Level 1 certification — the highest tier for payment card data security. All payment interactions occur exclusively within Paddle's PCI DSS-compliant environment. Kortave's systems receive only a non-sensitive transaction reference and a subscription status indicator.
In the event of a billing dispute, a cancellation request, or a refund relating to a payment transaction, Paddle is the entity legally responsible for resolution under their Merchant of Record agreement. Kortave will cooperate fully with Paddle and the client in any such process.
Kortave never sees your card data
All payment card data is handled exclusively by Paddle (PCI DSS Level 1). Kortave receives only a non-sensitive transaction reference. Your full card number, CVV, and billing address never touch our systems.
Data protection enquiries
For Data Processing Agreement requests, subject access requests, breach notifications, or any data protection enquiry — our team responds within one business day.
See Kortave output in practice
Last reviewed: May 2026 · Next scheduled review: November 2026 · Version 1.0