Security

Last updated: February 2026

Our Commitment

Watchdog is built to handle sensitive financial data — invoices, contracts, and agreements. Security is foundational to our platform, not an afterthought. We are committed to:

• European data sovereignty — all data is stored and processed exclusively within the EU
• GDPR compliance — full compliance with EU data protection regulations
• Zero AI training — customer data is never used to train AI models
• Enterprise-grade encryption — AES-256 at rest, TLS 1.3 in transit

Compliance & Certifications

GDPR Compliance

Our platform ensures lawful processing basis, strict data minimization, and full support for data subject rights including access, rectification, erasure, and portability. Customers can exercise these rights by contacting hello@watchdog.no.

Industry Standards

Our infrastructure providers maintain the following certifications:

Watchdog is currently pursuing ISO 27001 certification, targeted for Q2 2026. A third-party penetration test is scheduled for March 2026. SOC 2 Type II audit initiation is planned for H2 2026. We use Drata for continuous compliance monitoring and evidence collection.

Infrastructure & Data Residency

All customer data is stored and processed exclusively within the European Union. For a complete list of infrastructure providers and their processing locations, see our subprocessor list.

Your data never leaves the European Union.

Security Controls

Encryption

In transit: All communication between clients, servers, and third-party services is encrypted with TLS 1.3 or higher. This includes browser-to-server, server-to-database, server-to-AI services, and all webhook integrations.

At rest: All persistent data is encrypted with AES-256:

• Database encryption managed by Supabase (AWS)
• File storage encryption managed by Supabase (AWS)
• Sensitive integration credentials (OAuth tokens, API keys) are additionally encrypted at the application level with AES-256-GCM before storage

Key management: Encryption keys are managed by our infrastructure providers using hardware security modules (HSM). Application-level encryption keys are stored separately from customer data with strict access controls.

Multi-Tenant Isolation

Customer data is logically isolated with defense in depth across four independent layers:

1. Request authentication: Every incoming request is validated against the user's organization membership before reaching the application. Requests for organizations the user does not belong to are rejected at the middleware level.
2. Application-level enforcement: All database queries are automatically scoped to the authenticated user's organization. No query can execute without an organization filter.
3. Database-level enforcement: Row Level Security (RLS) is enabled on all database tables, providing an independent layer of tenant isolation at the PostgreSQL level.
4. Storage isolation: Documents are stored in organization-scoped paths. Access is validated against the user's organization before generating time-limited signed URLs (1-hour expiry).

There is no shared data between organizations at any layer. Even if one layer were compromised, the remaining layers independently prevent cross-tenant data access.

Access Control

• Authentication via Clerk with support for Multi-Factor Authentication (MFA) and Single Sign-On (SSO)
• Principle of least privilege applied to all employee access
• Employees cannot access customer data except for support or legal compliance purposes
• All internal access is logged and monitored
• Annual access privilege reviews

Personnel Security

All staff and contractors sign confidentiality agreements and complete security awareness training.

Application Security

• Continuous compliance monitoring and evidence collection via Drata
• Mandatory code reviews for all changes
• Automated DDoS protection via Vercel
• Webhook signature verification with HMAC and timing-safe comparison to prevent replay and spoofing attacks
• Vulnerability remediation targets: Critical (48 hours), High (7 days), Medium/Low (90 days)
• Third-party penetration testing scheduled for March 2026, with regular testing thereafter

Integration Security

Watchdog integrates with customer accounting systems to sync invoice data. Each integration follows a consistent security pattern:

• All integrations communicate exclusively over HTTPS
• Read-only access only — Watchdog never modifies data in the customer's accounting system
• OAuth tokens and API keys are encrypted at the application level with AES-256-GCM before storage, in addition to database-level encryption
• Customers can disconnect any integration at any time through the Watchdog interface, and can also revoke access directly from their accounting system
• Inbound webhooks are verified with HMAC signature verification and timing-safe comparison, with replay protection via timestamp validation

Internal Access Controls

Access to production systems is restricted to a minimal number of authorized personnel. Production access is:

• Limited to essential operations (deployment, incident response, customer support)
• Protected by multi-factor authentication
• Subject to annual access reviews

Backup, Disaster Recovery & Availability

• The platform targets 99.9% availability, built on providers with 99.95%+ SLAs
• Daily automated backups with point-in-time recovery via Supabase
• Recovery Point Objective (RPO): up to 24 hours of data
• Recovery Time Objective (RTO): near-instant for the application (serverless — no servers to restart), up to 4 hours for the database
• All backups encrypted and stored within the EU
• Annual restore capability testing

AI-Powered Document Processing

Zero Training Policy

Customer data is never used to train AI models. Google Vertex AI operates under enterprise data governance terms that explicitly prohibit the use of customer data for model training. This is distinct from consumer AI products.

How Data Flows During Analysis

When invoices and agreements are analyzed for compliance:

1. Document parsing: PDFs are sent to Google Document AI in the EU for text extraction. Documents are processed and then deleted — they are not stored persistently by Google.
2. Compliance analysis: Extracted text is sent to Google Vertex AI (Gemini) in the EU for analysis. Data is processed in memory and deleted within 24 hours. Each analysis is stateless — there is no shared context between organizations or between analysis runs.
3. Agreement search: Agreement documents are chunked and stored as text and vector embeddings in Turbopuffer (Frankfurt) for semantic search. Data is isolated in per-organization namespaces.

Data Minimization in AI Processing

• Only the specific documents under analysis are sent to AI services
• No persistent storage of customer data by AI providers
• Temporary staging files are cleaned up immediately after processing, with automated lifecycle rules as a safety net

Data Lifecycle & Privacy

Data Retention

• Customer data remains under your control and can be deleted at any time
• AI-processed documents are retained for a maximum of 24 hours by AI providers

Data Deletion

Upon account cancellation, all customer data is permanently deleted across every system:

• Database: All records (invoices, agreements, alerts, suppliers, settings) are permanently deleted via cascading deletion
• File storage: All stored documents and files are permanently deleted
• Vector search: Agreement embeddings and text chunks are deleted from the search index
• Authentication: User and organization data is removed from our identity provider
• Analytics: Usage data is anonymized

Full deletion is completed within 30 days of a cancellation request. Confirmation of deletion is provided upon request.

Data Export

Invoice data can be exported directly from the application in CSV format. For full data exports across all data types (agreements, alerts, suppliers, etc.), contact us and we will provide your data in standard formats (CSV/JSON).

Data Minimization

We collect only the data necessary to provide our invoice compliance services. Customer data is not used for any secondary purpose without explicit notice and consent.

Third-Party Services & Subprocessors

All direct subprocessors process data within the EU. Each receives only the minimum data necessary to perform their function. Some providers (e.g., Supabase, Google) use their own sub-processors that may, in limited cases, process data outside the EU/EEA under Standard Contractual Clauses (SCCs).

For the complete list including purpose, data handled, and processing locations, see our subprocessor list.

International Data Transfers

All persistent customer data is stored within the EU (Stockholm, Sweden). Some of our infrastructure providers are US-headquartered companies operating EU regions — no customer data is stored in or routed through the US.

For details on our legal transfer mechanisms and safeguards, see our Data Processing Agreement.

For customers with heightened data sovereignty requirements, we can discuss dedicated infrastructure arrangements and evaluate European-only provider alternatives.

Incident Response & Security Reporting

Security Incidents

In the event of a security incident:

• Customer notification within 72 hours of discovery
• Detailed incident information provided including scope and impact
• Immediate containment and mitigation actions
• Security logs preserved for a minimum of 12 months

Vulnerability Reporting

If you discover a security vulnerability, please contact us at security@watchdog.no. We target acknowledgment within 24 hours.

We ask that reporters:

• Do not access or modify other customers' data
• Allow reasonable time for remediation before public disclosure

Customer Responsibilities

To maintain the security of your account, we ask that customers:

• Keep credentials confidential and enable MFA for all users
• Report suspicious activities promptly
• Maintain updated systems and browser versions
• Ensure users have appropriate data access authorization
• Review and manage team member access regularly

Frequently Asked Questions

Is my data used for AI training?

No. Google Vertex AI operates under enterprise data governance terms that explicitly prevent customer data from being used for model training. Documents are processed in memory and deleted within 24 hours.

Can Watchdog employees access my data?

Only authorized support personnel may access customer data for troubleshooting purposes, and only when requested by the customer. There is no routine employee access to customer data.

Where is my data stored?

Persistent data (database and files) is stored in Stockholm, Sweden (eu-north-1). Application servers run in Stockholm and Frankfurt. AI processing occurs in the EU (Belgium). Your data never leaves the European Union.

Some of your providers are US companies. How do you handle international data transfers?

All customer data is stored and processed within the EU. Our US-headquartered providers (Google Cloud, Vercel, Clerk) operate EU regions with EU data processing agreements in place. No customer data is stored in or routed through the US. For customers with heightened sovereignty requirements, we can discuss dedicated infrastructure and European-only alternatives.

What happens when I cancel?

All customer data is permanently deleted across all systems — database, file storage, vector search, and authentication — within 30 days of cancellation. Invoice data can be exported from the application before cancellation, and full data exports across all data types are available on request. We provide confirmation of deletion.

Do you have ISO 27001 certification?

We are currently pursuing ISO 27001 certification. Our infrastructure providers (Google Cloud, Supabase, Vercel, Clerk) maintain ISO 27001 and/or SOC 2 Type II certifications.

How is tenant isolation enforced?

We use four independent layers of isolation: request-level authentication, application-level organization scoping, database-level Row Level Security (RLS) on all tables, and storage-level path isolation. There is no shared data between organizations at any layer.