Your data is stored in the European Union, encrypted in transit and at rest, and kept fully separate from every other customer. Prodeen is ISO 27001 certified and works under the GDPR as your data processor. A signed Data Processing Agreement (DPA) is available on request.
Where is your data stored?
All Prodeen customer data is stored and processed in the European Union — specifically in Belgium, on Google Cloud's EU infrastructure. This applies to your formulations, the documents and ingredient specifications you upload, your chat history with Prodeen agents, and the regulatory signals you configure.
Customer data does not leave the European Union during normal operation of the platform. Backups, disaster recovery and replicas all stay in the same EU region. The one exception is when our AI agents call a large-language-model provider to interpret a regulation or answer a question — those requests are routed to the provider's API. Every provider we use is contractually prohibited from using your data to train its models. See Which AI providers process my data below for details.
How is your data kept separate from other customers?
Every record in Prodeen is tagged with the organisation that owns it. The platform's data layer is built so that a customer can only ever query, view, or modify the records that belong to their own organisation — the separation is built into the database itself, not just into the application code on top of it.
This matters because it means a software bug in one part of the platform cannot accidentally surface another customer's data. The boundary between your organisation's data and any other customer's data is enforced at the lowest possible layer.
Is Prodeen GDPR compliant?
Yes. Prodeen operates as your data processor under the GDPR. The data you upload and the records you create in Prodeen remain under your control — we process them only to deliver the platform's services to you.
Anyone whose personal data is held in Prodeen has the following rights, which we are able to action on request:
| Your right | What it means |
|---|---|
| Access | Receive a copy of the personal data we hold about you. |
| Correction | Have inaccurate personal data corrected. |
| Deletion | Have your personal data deleted from our systems. |
| Portability | Receive your data in a structured, machine-readable format. |
| Restriction & objection | Limit how your personal data is processed. |
We respond to verified requests within 30 days. Send a request, or ask for our Data Processing Agreement, by emailing support@prodeen.com.
Which AI providers process my data?
Prodeen uses leading AI providers to read and interpret regulatory documents and to answer your questions. When you use our agents, the information needed for the agent's reasoning — for example the ingredients in the formulation you are asking about — is sent to one of these providers:
- Anthropic (Claude)
- OpenAI (GPT)
- Google Vertex AI
All three are used under enterprise terms that prohibit them from using Prodeen customer data to train their public models. Your data is processed only to generate the response and is not retained beyond what is needed to deliver it. If your organisation prefers that we route your traffic to only one or two of these providers, we can configure that for you.
A complete list of Prodeen sub-processors is included in our Data Processing Agreement. Email support@prodeen.com to request the current version.
Where does Prodeen get its regulatory data from?
Prodeen sources regulatory and scientific information from authoritative public bodies and curated databases — including EFSA (and EFSA OpenFoodTox), RASFF, FDA, Codex Alimentarius, ANVISA, FSANZ, the UK's FSA and other national regulators. We use named, dedicated connectors for these sources.
Where extra context is needed to answer a customer question, our agents can also run targeted searches through vetted commercial search providers. We do not scrape competitor product pages or aggregate non-public commercial data.
Which certifications does Prodeen hold?
- 1
ISO/IEC 27001 — certified. Prodeen's information security management system is independently audited and certified against the international standard for information security. The certificate is available on request.
- 2
SOC 2 Type 2 — in progress. An independent SOC 2 audit is underway, covering security, availability and confidentiality. The report will be available to qualified prospects under NDA once issued.
- 3
GDPR-aligned. Prodeen processes EU personal data as a GDPR data processor. Sub-processors located outside the EU operate under the European Commission's Standard Contractual Clauses.
How we operate, day to day
A few practical commitments behind the certifications above:
- Routine security scanning of our software components, with prompt fixes for high-severity findings.
- No credentials in source code. All passwords and API keys live in a managed secrets service, not in our codebase.
- Audit logs of authentication, agent activity and significant user actions.
- Incident response plan aligned with the GDPR's 72-hour breach notification requirement.
How to contact us about security
For security questions, DPA requests, vulnerability reports, or to submit a GDPR rights request, email support@prodeen.com. We aim to acknowledge security messages within two business days.
This page describes Prodeen's security and privacy practices as of May 2026. We update sub-processor lists, certifications and contact details as the platform evolves; the date above is refreshed with each revision.