GDPR Commitment

Last updated: April 2026

1. Our Commitment

Attensus is built by Keyton ApS, a Danish company subject to the General Data Protection Regulation (GDPR) and the Danish Data Protection Act. Data protection is not an afterthought — it is embedded in the architecture, operations, and culture of our platform.

This page describes the technical and organizational measures we implement to protect your data and uphold your rights under GDPR.

Data Controller: Keyton ApS CVR: 44301958 Copenhagen, Denmark

2. Data Sovereignty — EU Only

All data processed by Attensus remains within the European Union at all times.

Compute and database: Hosted on Hetzner Cloud in Falkenstein, Germany
Object storage: Hetzner Object Storage in Falkenstein, Germany
Transactional email: Resend (EU processing)
No US cloud providers. We do not use AWS, Google Cloud, or Azure for data processing or storage.

There are no international data transfers outside the EU/EEA. Your data never leaves European jurisdiction.

3. Tenant Isolation

Attensus is a multi-tenant platform with strict data isolation between customers.

PostgreSQL Row-Level Security (RLS): Every database query is scoped to the authenticated tenant using PostgreSQL's native RLS policies. A tenant's data is invisible to all other tenants at the database level — not just at the application level.
Session-scoped tenant context: Each request sets a app.current_tenant session variable in PostgreSQL before any query executes. RLS policies enforce that only rows belonging to the current tenant are accessible.
Object storage isolation: Uploaded files and transformed data are stored in tenant-scoped paths, with access controlled by authenticated, tenant-specific pre-signed URLs.

No customer can access, query, or infer the existence of another customer's data.

4. Encryption

In Transit

All data transmitted between your browser and Attensus is encrypted with TLS 1.3. We enforce HTTPS on all endpoints with HSTS headers. Connections using older TLS versions are rejected.

At Rest

All data stored on disk — including database contents, uploaded files, backups, and audit logs — is encrypted with AES-256 encryption, managed by the hosting infrastructure. Encryption keys are managed by Hetzner's key management system and are not accessible to application code.

Backups

Database backups are encrypted and retained for 30 days on a rolling basis. Backup data is stored in the same EU region and subject to the same encryption standards.

5. Data Minimization

We collect only the data necessary to provide the service:

Account data: Name, email, organization name — required for authentication and access control
Operational data: Business metrics uploaded by the customer (e.g., hours, units, volumes) — required for forecasting
Usage data: Minimal server logs (timestamps, request paths, status codes) — required for reliability and security

We do not collect browsing behavior, device fingerprints, location data, or any data beyond what is strictly necessary for service delivery.

6. No Cross-Tenant Model Training

Customer data is never used to train, fine-tune, or improve forecasting models for other tenants. Each tenant's data is processed exclusively for that tenant's benefit. Forecast models are trained per-tenant on that tenant's data only.

Aggregate, anonymized platform metrics (e.g., total request counts, error rates) may be used to improve platform reliability, but these contain no customer-identifiable information.

7. Data Subject Rights

Attensus supports the full set of data subject rights under GDPR:

Right	How We Support It
Right of access (Art. 15)	Request a copy of all personal data we hold about you via Settings or by emailing dpo@attensus.com
Right to rectification (Art. 16)	Update your profile information directly in the platform, or contact us to correct any inaccuracies
Right to erasure (Art. 17)	Delete your data through Settings, or request full account deletion by emailing dpo@attensus.com. Deletion is completed within 30 days.
Right to restriction (Art. 18)	Request that we restrict processing of your data while a complaint or correction is pending
Right to data portability (Art. 20)	Export your operational data and forecast results in standard formats (CSV, JSON) through the platform
Right to object (Art. 21)	Object to processing based on legitimate interest by contacting dpo@attensus.com

We respond to all data subject requests within 30 days, as required by GDPR Article 12(3).

8. Data Protection Officer

Our Data Protection Officer can be reached at:

Email: dpo@attensus.com

The DPO oversees our compliance with GDPR, handles data subject requests, and serves as the point of contact for the Danish Data Protection Agency (Datatilsynet).

9. Sub-Processors

We use a limited number of sub-processors, all based in the EU or processing data within the EU:

Sub-Processor	Purpose	Location	Data Processed
Hetzner Online GmbH	Cloud compute, database hosting	Falkenstein, Germany (EU)	All platform data (encrypted)
Hetzner Online GmbH	S3-compatible object storage	Falkenstein, Germany (EU)	Uploaded files, transformed datasets
Resend Inc.	Transactional email delivery	EU processing	Recipient email address, email content

We notify customers at least 30 days before adding any new sub-processor. Customers may object to a new sub-processor, and we will work to address concerns or provide alternatives.

A current list of sub-processors is always available by contacting dpo@attensus.com.

10. Breach Notification

In the event of a personal data breach, we will:

Notify the supervisory authority (Datatilsynet) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
Notify affected customers without undue delay if the breach is likely to result in a high risk to the rights and freedoms of data subjects, as required by GDPR Article 34
Document the breach including its nature, likely consequences, and measures taken to address it

11. Privacy by Design and Default

In accordance with GDPR Article 25, Attensus implements data protection by design and by default:

By design: Security controls (RLS, encryption, tenant isolation) are architectural requirements, not bolt-ons. They cannot be bypassed by application code.
By default: We collect the minimum data necessary. New features default to the most privacy-protective settings. Access controls follow the principle of least privilege.

12. Supervisory Authority

Our supervisory authority is:

Datatilsynet (Danish Data Protection Agency) Carl Jacobsens Vej 35 2500 Valby, Denmark www.datatilsynet.dk

You have the right to lodge a complaint with Datatilsynet or with the supervisory authority in your EU member state of residence.

13. Contact

For questions about our GDPR practices:

Data Protection Officer: dpo@attensus.com
General inquiries: hello@attensus.com