AmirraAmirra
See a demo
HomeFeaturesBenefitsPricingBlogSee a demo
Security & GDPR

Trust isn't a feature. It's the foundation.

Amirra is built from the ground up to meet the security and privacy bar of the most demanding HR teams in Europe — encrypted, audited, and GDPR-native by default.

ISO 27001SOC 2 Type IIGDPREU data residency
Principles

Six commitments we hold ourselves to.

01
Encrypted in transit & at rest

TLS 1.3 in transit. AES-256 at rest. Per-tenant key isolation. Secrets managed via AWS KMS with strict rotation policies.

02
Least-privilege access

Engineers only access production through audited, time-bound, MFA-protected sessions. Every action is logged immutably.

03
EU data residency

Customer data is stored in Frankfurt and Dublin. Backups stay in-region. No data ever leaves the EU without your explicit consent.

04
Independently audited

Annual SOC 2 Type II and ISO 27001 audits by qualified third parties. Penetration tested quarterly by Cure53 and similar firms.

05
GDPR-native

DPA on every plan. Data subject requests fulfilled in-app. EU Standard Contractual Clauses where required, with full sub-processor transparency.

06
Resilient by design

99.95% uptime SLA. Multi-AZ failover. Automated backups every 6 hours, retained for 30 days. Documented disaster recovery, tested twice yearly.

GDPR

Six data-subject rights, fully wired into the product.

Amirra is a GDPR data processor. Your organisation remains the controller — we give you the controls to honour every request, in-app, without filing a ticket.

01
Right of access

Employees can request all data Amirra holds about them, in machine-readable format, within 30 days.

02
Right to rectification

Edit or correct data directly in-app. Admins can update bulk records via the data console.

03
Right to erasure

One-click data deletion for offboarded employees. Cryptographic shredding within 90 days.

04
Right to portability

Export structured profile, post, and analytics data in JSON or CSV.

05
Right to object

Granular consent toggles for non-essential processing (analytics, communications).

06
Right to restrict

Pause processing on a profile during disputes without losing the underlying record.

Sub-processors

Every vendor we use, on the record.

We notify customers at least 30 days before adding any new sub-processor. You can object in writing.

VendorPurposeRegion
Amazon Web ServicesCloud hosting & storageEU (Frankfurt, Dublin)
CloudflareCDN & DDoS protectionEU edge
PostmarkTransactional emailEU
Twilio (SendGrid)Notification emailEU
SentryError monitoringEU
DatadogInfrastructure observabilityEU
StripeBilling & invoicingIreland (EU)
IntercomCustomer support (opt-in)EU
Documents

The paperwork, made easy.

Procurement teams ask for the same files every time. We keep them in one place, signed and ready.

Data Processing Addendum (DPA)
PDF · Updated Mar 2026
SOC 2 Type II report
On request · Under NDA
ISO 27001 certificate
PDF · Issued Sep 2025
Pen-test summary
PDF · Cure53, Q1 2026
Security whitepaper
PDF · 18 pages
Talk to security

Got a deeper security review to run? We've done it before.

Reach our security team directly. Most procurement questionnaires come back the same week.

Contact security teamsecurity@amirra.io