DrallDrall

These legal documents are provided in English only. English is the binding and authoritative language; any translation is for convenience only. — Diese rechtlichen Dokumente werden ausschließlich in englischer Sprache bereitgestellt. Maßgeblich und verbindlich ist die englische Fassung.

Trust & Security

Security by Design

Drall is built with security at its core — not as an afterthought. Every architectural decision is made with data protection, client confidentiality, and regulatory compliance in mind.

EU-Based Primary Infrastructure

Your core application data — accounts, engagements, documents, and the knowledge base — is stored in EU data centers (Frankfurt) via Supabase. To deliver AI features, some content is processed by specialist sub-processors located outside the EU (for example, AI model providers in the United States). These transfers are governed by Data Processing Agreements and EU Standard Contractual Clauses. The full list of sub-processors and their locations is in our Privacy Policy.

GDPR-Aligned by Design

We build around the principles of the General Data Protection Regulation (GDPR): data minimization, purpose limitation, and lawful processing. We maintain Data Processing Agreements with our sub-processors and rely on Standard Contractual Clauses for transfers outside the EEA.

No Training on Your Data

Your data is yours. We do not use your client data, engagement content, or uploaded documents to train or fine-tune our own models. Our AI providers are engaged via their APIs under terms that do not use API content to train their models.

Connected Sources Respect Native Permissions

When you connect Microsoft 365 (SharePoint and OneDrive), Drall accesses only the sites, folders, and files you choose to import, within the scope of the administrator consent you grant. We store imported content by reference— metadata, permissions, and AI embeddings — rather than keeping copies of the original files, which are fetched on demand from Microsoft and not retained. Crucially, we ingest each item's native access control list and enforce those same permissions at query time, so users only ever retrieve content they are already allowed to see in Microsoft 365. Connection credentials and tokens are encrypted (AES-256-GCM), and you can revoke access at any time.

Client Data Separation

Every client's data is logically separated at every layer of the application — from database to API to agent execution. Role-based access controls mirror your firm's internal access rights, ensuring no data leakage across teams.

Role-Based Access Control

Configurable roles (Managing Partner, Partner, Engagement Lead, Consultant) govern who can see and act on which data. Permissions are enforced at every layer — UI, API, and database.

Full Audit Trail

Every agent action, human decision, and system event is logged and traceable. The complete work trail is available for review at any time, providing full accountability and transparency.

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Authentication tokens and session data are handled through secure, HTTP-only cookies with strict same-site policies.

Data Processing Agreement

For business customers, our Data Processing Agreement (DPA) sets out how Drall processes personal data on your behalf under Art. 28 GDPR, including our technical and organizational measures and the current list of sub-processors.

Questions?

If you have questions about our security practices or need additional information for your compliance review, please contact us at hello@drall.ai.