Your data is safe
with us. Here is the proof.
Security and privacy questions come up early in every conversation — and they should. This page answers what procurement, IT, legal, and compliance teams ask us most often. If you need additional documentation, a completed security questionnaire, or a technical review call, contact your Valenta Managing Partner.
Speak to a Managing Partner →
ISO 27001
SOC 2 Type II
GDPR
UK GDPR
HIPAA
Australia Privacy Act
PIPEDAYour data is yours. Full stop.
Valenta accesses only the data required to deliver the agreed solution. Your data is never repurposed, shared with other clients, or used to train any AI or machine learning model — on any engagement type, without exception.
Data minimization by default
We access only what is needed to deliver the solution. No additional data is accessed, retained, or repurposed beyond the defined engagement scope.
No cross-client data exposure
Each client's data, pipelines, and environment components are fully isolated. Nothing is shared across client accounts, regardless of seniority or geography of the delivery team.
Your data is never used to train AI
Not on any engagement type, under any circumstances. All AI inference in our solutions is stateless per session. The model provider cannot learn from or retain your data.
Clean exit at engagement close
All Valenta access is formally revoked and confirmed to you in writing. Development and test environments are deleted once handover is confirmed.
Audit trail throughout
Pipeline execution logs, API call records, and access events are retained throughout the engagement and available for your review on request.
Offshore team, same controls
Our global delivery team operates under identical access controls regardless of location. Geographic location does not change the standard applied.
Where your data lives
Valenta's automation services are deployed through UiPath Automation Cloud, a cloud-native enterprise platform hosted on Microsoft Azure with region-specific hosting options. Valenta offers two deployment models for all engagements. Both apply the same security controls. Your engagement letter confirms which applies to your project.
Model A: Client-Hosted
You controlThe solution is deployed within your own cloud environment. You own and control all compute, storage, and network resources. Valenta has access only during the active engagement.
Data residency is determined by your cloud configuration and region settings.
In this model, your configuration remains under your team's direct governance.
Model B: Valenta-Managed
We manageValenta provisions and manages the infrastructure required to deliver the solution. You receive full access to the system, its outputs, and all associated assets.
Data residency is configured to meet your geographic and regulatory requirements before deployment begins.
We manage patches, performance monitoring, and operations backups.
In both models
- Data in transit encrypted via HTTPS/TLS 1.2+
- Data at rest encrypted via AES-256
- Network access via approved IPs or VPN only
- Platform aligned with ISO 27001 & SOC 2 Type II
- Isolated, dedicated infrastructure per client
- Data residency configured before deployment
Who has access and how it is controlled
Access to client environments, data assets, and solution components is restricted to the Valenta team members assigned to your specific engagement only.
Engagement-scoped access only
Access is not shared across other clients or teams, regardless of seniority or internal role.
Role-Based Access Control
Every user and service account is granted the minimum permissions required for their specific role. No implicit trust based on network location.
SSO and MFA enforced
Single Sign-On and Multi-Factor Authentication are required across all platform access points.
OAuth2 only
All integrations with your source systems use OAuth2 or App-Based Authentication. Shared passwords and basic authentication are not used.
Credentials never in code
API keys, tokens, and connection strings are stored in secure environment configuration only — never written into pipeline code or definitions.
Security training is mandatory
All team members complete required training before receiving access to any client environment. Completion is tracked and enforced.
How we govern AI in your engagement
Valenta maintains a dedicated AI governance and security policy for all Data & AI engagements. These are the principles that govern every AI engagement.
Your data is never used to train AI
Not to train, fine-tune, or improve any AI model — whether proprietary to Valenta or provided by a third-party platform. No exceptions.
Stateless AI inference
When external AI APIs are called, no data is retained between sessions. The model provider cannot learn from or store your data.
Your data only, as inputs
AI models operate exclusively on data you have provided and control. General internet data or data from other clients is never used as input.
Human oversight built in
Where AI outputs inform significant decisions, human review is built into the workflow. AI outputs are supporting information, not autonomous decisions.
Every AI component documented before build
What model is used, what data it receives, what it produces, and the acceptance criteria — all reviewed and approved by you before development begins.
How we operate and what happens when something goes wrong
All Valenta engagements operate under a documented governance framework covering change management, audit trails, access reviews, and incident response.
Change management
All production deployments follow a documented change request process reviewed with you before implementation. No untested code reaches production.
Prompt incident notification
In the event of a confirmed security incident affecting your environment, you are notified promptly. A written root cause analysis and remediation report follows.
Full audit trail
Pipeline execution logs, API call records, data transformation records, and access events are retained and available for your review on request.
Regulatory breach cooperation
Valenta will cooperate fully with any regulatory breach notification obligations applicable to your organization and jurisdiction.
Access reviewed continuously
Access to your environment is reviewed at each sprint checkpoint and whenever team composition changes.
Environment segregation
Development, UAT, and Production environments are strictly segregated across all engagements. No untested configuration reaches production.
Compliance frameworks we align with
Valenta's infrastructure and platform components are aligned with the following frameworks, as applicable to your industry and jurisdiction. Where your compliance framework requires specific control mapping, evidence documentation, or a completed security questionnaire, your Managing Partner will coordinate this directly with our team.
ISO 27001
Information Security Management. Applies across all engagements and delivery regions.
SOC 2 Type II
Security, Availability, and Confidentiality. Platform components aligned for enterprise-grade trust.
GDPR & UK GDPR
EU and UK data protection. Valenta AI Limited is ICO registered (ZB518204). DPA available for all applicable engagements.
HIPAA
US healthcare engagements involving Protected Health Information. Business Associate Agreement available on request.
Australian Privacy Act 1988
Australian Privacy Principles apply to all Australian-domiciled engagements. NDB scheme compliance included.
Regional data sovereignty
PIPEDA (Canada), PDPA (Malaysia), Colombian Law 1581, and applicable local laws. Region-specific configuration available.
What compliance and security teams ask us
Does Valenta use my data to train AI models?
No. Your data is never used to train, fine-tune, or improve any AI or machine learning model — on any engagement type, without exception. All AI inference is stateless, meaning no data is retained between sessions by the model provider.
Where is my data hosted?
Valenta offers two deployment models. In a client-hosted deployment, your data remains within your own cloud environment. In a Valenta-managed deployment, data is hosted on Microsoft Azure infrastructure with data residency configured to meet your geographic and regulatory requirements before deployment begins.
Is Valenta GDPR compliant?
Yes. Valenta's platform components and practices are aligned with GDPR for EU and UK engagements. For UK clients, Valenta AI Limited is registered with the Information Commissioner's Office (ICO) as a data controller and data processor (registration ZB518204). A Data Processing Agreement is available for all applicable engagements.
Is Valenta HIPAA compliant?
Yes, for US healthcare engagements. Where Valenta is engaged to perform services involving Protected Health Information on behalf of a Covered Entity or Business Associate, services are governed by applicable HIPAA requirements. Valenta shall not be deemed a Business Associate unless expressly agreed in writing.
Who from Valenta has access to my data?
Only the team members assigned to your specific engagement. Access is not shared across other clients or projects, regardless of seniority or location. All access is formally revoked at engagement close and confirmed to you in writing.
What happens to my data at the end of the engagement?
All Valenta access to your environment is formally revoked at engagement close. Development and test environments, temporary data copies, and test API connections are fully deleted once handover is confirmed. A written access revocation confirmation is provided.
Does Valenta have a Data Processing Agreement?
Yes. For UK engagements, a DPA is entered into upon commencement of services in accordance with Article 28 of UK GDPR. For EU engagements under Valenta GmbH, a DPA forms an integral part of every contract. Contact your Valenta Managing Partner to obtain the applicable DPA for your jurisdiction.
Does the risk profile differ between RPA and Data & AI engagements?
Yes, and we address this directly. Data & AI engagements involve broader data access, AI model interactions, and additional governance obligations. Valenta maintains a dedicated AI governance and security policy that covers the AI data lifecycle, model governance, stateless inference, human oversight controls, and end-of-engagement artefact handling. Contact your Managing Partner to request full documentation for a Data & AI engagement.
Have specific security or compliance questions?
Your Valenta Managing Partner can arrange a technical review call, provide additional documentation, or coordinate a completed security questionnaire. We work with your compliance team directly.