WorkDecisions AI is built on the principle that client data belongs to the client — not to us, not to third-party processors outside your jurisdiction, and not to any infrastructure we cannot fully account for. All data is processed and stored in Frankfurt, Germany (EU), under full GDPR compliance.
All client data — including Executive Clone profiles, decision logs, compliance records, and audit trails — is stored exclusively in our Frankfurt, Germany Supabase instance (eu-central-1). No client data is processed in North America or any non-EU jurisdiction during normal operations.
Our standby infrastructure is in Canada (ca-central-1) for disaster recovery purposes only. No client data is actively written to or read from this instance during normal operations.
| System | Location | Purpose |
|---|---|---|
| Supabase (PostgreSQL + pgvector) | Frankfurt, Germany | Primary database for WorkDecisions AI — GDPR sovereign |
| Clone Data / Backups | Frankfurt / Munich | GDPR-compliant, SOC 2-aligned, ISO 27001-aligned |
| Data Category | Purpose | Retention |
|---|---|---|
| Executive profile data | Building and operating the Executive Clone | Duration of contract + 30 days |
| Decision logs | Audit trail and compliance reporting | 7 years (regulatory minimum) |
| Communication records | Governance and quality assurance | Duration of contract |
| Contact details (name, email, phone) | Account management and authentication | Duration of contract + 30 days |
| Billing information | Payment processing via Stripe (EU) | 7 years (accounting requirement) |
| IP addresses in audit logs | Security and compliance monitoring | 90 days |
The following third-party services process client data as part of our infrastructure. We maintain Data Processing Agreements (DPAs) with all sub-processors:
| Sub-processor | Purpose | Location | Basis |
|---|---|---|---|
| Supabase (PostgreSQL) | Primary database and authentication | Frankfurt, Germany (EU) | GDPR sovereign |
| RunPod | AI compute infrastructure | Switzerland | GDPR Article 45 adequacy |
| Netlify | Static site hosting (no client data) | Global CDN | Static assets only — no PII |
| HeyGen | Video avatar synthesis | United States | SCCs — disclosed in DPA |
| ElevenLabs | Voice cloning | United States | SCCs — disclosed in DPA |
| Resend | Transactional email delivery | United States | SCCs — disclosed in DPA |
| Stripe | Payment processing | European entity (Stripe Payments Europe Ltd) | GDPR compliant |
HeyGen and ElevenLabs process voice and video data in the United States. This is disclosed in the client Data Processing Agreement prior to signature. Clients may request alternatives if US processing is not acceptable.
To exercise any of these rights, contact: glen@workdecisionsai.com or call +1 315 352 4333. We respond within 30 days.
All enterprise clients receive a signed Data Processing Agreement (DPA) prior to onboarding. The DPA covers lawful basis for processing, sub-processor list, data retention schedules, breach notification timelines (72 hours to supervisory authority), and client audit rights.
To request a DPA template: glen@workdecisionsai.com
In the event of a personal data breach, WorkDecisions AI will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. Affected clients will be notified without undue delay where the breach is likely to result in high risk to their rights and freedoms.
Our Data Protection contact: glen@workdecisionsai.com
Last updated: May 2026. This document is reviewed quarterly and following any material infrastructure change. For the full privacy policy, see workdecisionsai.com/privacy.