Security

Security, stated plainly.

Ahel is an early, independent company, and this page reflects exactly where we are — not a badge we haven’t earned. We do not hold SOC 2 or ISO 27001 certification and we don’t claim the posture of a company that does. What follows is what we actually do: where your data lives, how the credentials you connect are protected, who else touches the data, and what your rights are under the GDPR.

Where your data lives

Application data — your account, workspace settings, usage records, and the credentials you connect — is hosted on infrastructure in the European Union (Germany). We retain workspace data for as long as your account is active; delete the account and the workspace data is deleted with it.

Credential encryption

When you connect your own source keys, they are encrypted at rest with AES-256-GCM — an authenticated cipher, so a tampered blob fails its integrity check and is rejected rather than decrypted to forged plaintext. Each secret is encrypted under a fresh random nonce, so identical inputs never produce identical ciphertext. The master key is supplied through the environment and held separately from the database — it is never committed to source, and there is no weak default: if the key is missing, encryption fails closed rather than falling back. We never display a connected secret back to you; the UI shows only a masked last-four preview.

API keys you create for calling Ahel are stored only as salted hashes. The full key is shown once, at creation, and never kept.

Subprocessors

These are the third parties that process data on our behalf to run the service. We keep the list short and name each one.

SubprocessorPurposeRegion
StripePayment processing for credit purchases. We never see or store card numbers.EU / global
SendGrid (Twilio)Transactional email — sign-in links and account notifications.EU / global
CloudflareCDN, DNS, and edge protection for the ahel.ai surface.Global edge

Data sources you query are contacted to answer a call, under each source’s own terms — the library page names where each source’s data comes from.

GDPR posture

Your account data

Under the GDPR you can request a copy of your data, ask us to correct it, or ask us to delete it. Write to [email protected] and we will respond within 30 days. Ahel Technologies OÜ is established in Estonia; you may also complain to the Estonian Data Protection Inspectorate (AKI).

Persons who appear in resolution results (Article 14)

Ahel resolves entities from public registries, official records, and the open web, which means a person may appear in a result without ever having interacted with us. Under Article 14 of the GDPR — information to be provided where data is not obtained from the data subject — such a person has the right to know their data is being processed and to exercise the same access, rectification, and erasure rights. If you believe you appear in Ahel’s results and want to make a data-subject request, email [email protected]. We treat these requests seriously and respond within the GDPR time limit.

Data processing agreement

If you process personal data through Ahel on behalf of your own customers, a GDPR Article 28 Data Processing Agreement (DPA) is available on request — email [email protected] and we will send the current version.

More detail on data handling is in our privacy policy and terms. Who we are is on the about page.