Security & trust

Built for AI adoption security and compliance.

Ciralgo is designed for organisations that take AI adoption security and compliance seriously. We combine EU-first hosting, strong technical controls and clear analytics so you can scale AI worldwide with confidence.

Our security principles

We build and run Ciralgo using a few simple principles:

Privacy by design

We minimise the personal data we process, focus on metadata about AI usage and give you control over what is collected and how long it is kept.

Least privilege

Access is granted on a need-to-know basis, with role-based permissions and clear separation between customer environments.

Transparency & auditability

We provide logs and dashboards that show who used which AI tools, when and for which workflows, essential for governance, audits and internal reviews.

Shared responsibility

Security and compliance are a joint effort. We provide secure infrastructure and tooling. You configure policies, access, and business rules that fit your organisation.

Data protection & GDPR

Data protection is a fundamental right under EU law, and regulations such as the General Data Protection Regulation (GDPR) set detailed requirements for how personal data is collected, stored and used. Ciralgo supports your GDPR efforts by:

  • Focusing primarily on usage metadata (who used which AI tool, when and for which workflow), not on storing full prompt or document content by default.
  • Providing configuration options for data retention, so you can align logs with your internal policies.
  • Offering export capabilities so you can respond to data subject requests using your own processes.

We are not a law firm and we do not provide legal advice. You remain the data controller for your use of Ciralgo and your AI tools, we act as a data processor according to our agreements and your instructions.

For more information about the GDPR, see the European Commission’s data protection overview and legal framework.

Talk to us

Cloud infrastructure

We run on trusted European cloud providers with data centres in the EU, including the Netherlands, to support data residency requirements.

Data hosting & residency

Regional flexibility

While our default is EU hosting, we can support different regional setups for global organisations that need to respect both EU and non-EU regulations.

Data residency controls

We design our platform so that you can keep sensitive AI usage data within agreed regions and understand where data is stored and processed.

EU AI Act readiness

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive legal framework on AI in the world. It introduces a risk-based approach for AI systems and clarifies obligations for AI developers and deployers.

While Ciralgo does not replace your legal and regulatory functions, our platform is designed to support key aspects of AI Act readiness:

  • Usage and risk visibility
    See where AI is used in your organisation, which tools are involved and which workflows might fall into higher-risk categories.
  • Logging & documentation
    Maintain records of AI usage, policies, and changes over time that can feed into your technical and organisational measures.
  • Monitoring & alerting
    Track adoption and usage patterns that may signal emerging risks or non-compliant behaviours, so you can intervene early.

For an overview of the AI Act, we recommend the European Commission’s AI Act page and other official summaries.

Ciralgo can also help non-EU organisations that serve EU customers or employees, who may still be affected by the AI Act and GDPR even if they are headquartered elsewhere.

Technical security measures

  • Encryption in transit
    All traffic between browsers, backend services and data stores is protected with modern TLS encryption.
  • Encryption at rest
    Databases and storage volumes are encrypted at rest using cloud-provider encryption mechanisms.
  • Network isolation
    We use private networks, firewalls and security groups to separate environments and limit exposure.
  • Secrets management
    API keys, credentials and other secrets are stored securely and are never hard-coded in application code.
  • Backups & resilience
    We perform regular backups of critical data and design for recovery from incidents, subject to your retention policies.

Role-based access control (RBAC)

Assign roles such as admin or editor and limit who can change configurations, access sensitive dashboards or export data.

Single sign-on (SSO)

For larger customers, we can integrate with your identity provider so users authenticate with existing corporate accounts.

Audit logging

Key administrative actions (e.g. changing policies, integrations or permissions) are logged so you can trace changes over time.

Compliance posture & roadmap


Ciralgo is developed with established security frameworks in mind, such as ISO 27001 and SOC 2 and we are building our policies, processes and controls in line with these standards. Our focus areas include:

  • Formalised information security policies
  • Access management and least-privilege practices
  • Change management and code review processes
  • Vendor risk management for our own providers

As we grow, we aim to pursue formal certifications in line with customer demand and regulatory expectations. Until then, we are transparent about our controls and happy to answer detailed security questionnaires.

Your responsibilities

Security and compliance are always a shared responsibility

Integrations

You decide which tools and systems to connect to Ciralgo.

Policies

Define policies, roles, and retention settings that match your regulatory context.

Legal obligations

You remain responsible for fulfilling legal obligations under GDPR, the EU AI Act and other relevant regulations.

Questions about security & compliance?

If you have specific security, privacy or compliance questions, we’re happy to talk.

Contact our security team
Download security overview