Compliance built into
the architecture.

Account data: name, email, billing information

Content data: files — encrypted end-to-end, never read by Vautra

Usage and technical data for platform operation

Payment data processed via PCI-DSS certified partners

Art. 6(1)(b) — Contractual necessity for service delivery

Art. 6(1)(a) — Consent for marketing communications

Art. 6(1)(c) — Legal obligation compliance

Art. 6(1)(f) — Legitimate interest for security monitoring

EU users stored preferentially in the European region

Files encrypted at rest (AES-256) and in transit (TLS 1.3)

International transfers protected by SCCs and adequacy decisions

Region selection enforced at the infrastructure level

Account data: 90 days post-deletion then purged

Uploaded files: removed within 30 days of deletion

Billing records: retained for 7 years

Audit logs: 12 months active access, 5 years archived

Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17)

Restriction (Art. 18), Portability (Art. 20), Object (Art. 21)

Withdraw Consent (Art. 7(3)) at any time

All requests responded to within 30 days

DPA available for all enterprise clients

Covers Controller/Processor roles and sub-processor list

Breach notification within 72 hours

Includes SCCs and audit rights

AES-256 encryption at rest (NIST SP 800-111)

TLS 1.3 encryption in transit

Access controls with role-based permissions

Automatic logoff and session management

Real-time audit log of all file access, share and deletion events

Anryton blockchain object proofs for tamper-proof verification

Audit log export in CSV, JSON or PDF format

Real-time alerts for suspicious access events

Covered Entity notified within 60 days (target: 10 business days)

AES-256 encryption qualifies for HIPAA Encryption Safe Harbor (NIST SP 800-111)

Incident response team activated on detection

Full documentation provided for regulatory reporting