Security Policy

Last updated: 8th of December, 2025

At Watchdog, security is our highest priority. We understand that you trust us with your sensitive financial and contract data, and we have built our platform from the ground up to protect that information. This document outlines our comprehensive approach to security, data privacy, and compliance.

Security Overview

Our security approach is built on four fundamental principles:

European Data Sovereignty: All data is stored and processed exclusively within the European Union (Stockholm, Sweden and Finland).
GDPR Compliance: Fully compliant with the world's strictest data privacy regulation, ensuring your rights are protected.
Zero AI Training: Your data is never used to train AI models. Documents are processed and deleted within 24 hours.
Enterprise-Grade Security: Bank-level encryption (AES-256 at rest, TLS 1.3 in transit) with multi-tenant isolation enforced at the database level.

Compliance & Certifications

Watchdog is fully compliant with the General Data Protection Regulation (GDPR). We ensure:

Lawful basis for all processing.
Strict data minimization.
Full support for data subject rights (access, rectification, erasure, portability).

To exercise your GDPR rights, please contact us at hello@watchdog.no.

Industry Standards

Our infrastructure providers (Google Cloud, AWS/Supabase, Vercel) are certified under ISO 27001 and SOC 2 Type II. Watchdog is currently in pursuit of its ISO 27001 certificate.

Infrastructure & Data Residency

We maintain a strict data residency policy to ensure compliance with European privacy regulations.

Primary Data Storage: All persistent data (databases and file storage) is located in Stockholm, Sweden (AWS eu-north-1 region).
Application Hosting: Our application services run in Finland (Google Cloud Platform, europe-north1).
Data Jurisdiction: Your data never leaves the European Union.

Security Controls

Encryption

At Rest: All data in our databases and file storage is encrypted using AES-256 standard encryption.
In Transit: All data transmission occurs over encrypted channels using TLS 1.3 (or higher).
Key Management: We use strict key management policies with regular rotation. Encryption keys are logically separated from customer data and managed by our infrastructure providers using hardware security modules to safeguard critical security keys.

Access Control

Row-Level Security (RLS): We enforce strict RLS policies at the database level. This guarantees that each customer's data is cryptographically isolated and accessible only to authorized users within that organization.
Authentication: We use Clerk for enterprise-grade authentication, supporting Multi-Factor Authentication (MFA) and secure session management.
Internal Access Controls:
- Watchdog personnel access to production systems requires unique user IDs, secure connections, and multi-factor authentication.
- Access follows the principle of least privilege - employees only have access to systems necessary for their role.
- Watchdog employees do not have access to customer data except when required to provide support or comply with legal obligations. All internal access is logged and monitored.
- Access privileges are reviewed at least annually, and access is promptly removed for all separated personnel.
Personnel Security: All Watchdog employees and contractors sign confidentiality agreements and complete security awareness training during onboarding.

Application Security

Security Monitoring & Testing: We continuously monitor and test our security controls to ensure they operate as intended. We use Sprinto software to automate control monitoring, including employee activity tracking, infrastructure monitoring, and development procedures. Leadership is notified immediately when any control is at risk, enabling prompt action.
Penetration Testing: We engage independent third-party security experts to conduct penetration tests of our services at least annually. This ensures our security measures remain effective against evolving threats.
Vulnerability Management: We maintain a rigorous vulnerability management program with defined remediation timelines based on severity:
- Critical vulnerabilities: Remediated within 48 hours
- High-severity vulnerabilities: Remediated within 7 days
- Medium and low-severity vulnerabilities: Remediated within 90 days
Threat Detection: Our infrastructure leverages industry-standard threat detection tools with daily signature updates to monitor and alert for suspicious activities, malware, and malicious code.
Secure Development: Our engineering team follows secure coding practices, including mandatory code reviews and automated security scanning.
DDoS Protection: Our infrastructure includes automated protection against Distributed Denial of Service (DDoS) attacks.

Backup & Disaster Recovery

Automated Backups: All database-stored customer data is backed up daily using Supabase's enterprise backup tooling.
Restore Testing: Backup and restore capabilities are tested on an annual basis to ensure data can be recovered in the event of an incident.
Backup Security: All backups are encrypted and stored securely within the EU (Stockholm, Sweden).

Data Lifecycle & Privacy

AI-Powered Document Processing

Watchdog uses advanced AI to analyze invoices and contracts, but we strictly limit how this data is used:

Zero Training Policy: Your data is never used to train our AI models or Google's base models.
Ephemeral Processing: Documents sent to our AI processor (Google Vertex AI) are processed in memory and deleted 24 hours after analysis. They are only retained for caching purposes and efficient compute.
Data Isolation: AI analysis is performed in a stateless environment, ensuring no data leakage between customers.

Data Retention

We maintain clear data retention policies to ensure compliance with privacy regulations while providing you with full control over your data.

Customer Data: All invoice data, contracts, documents, and supplier records are retained under your control. You can delete data at any time through the application.
Audit Logs: System event logs and user activity logs are retained for a minimum of 12 months for security and compliance purposes.
AI Processing: Documents sent to Google Vertex AI for processing are retained for a maximum of 24 hours for caching purposes, then permanently deleted.

Data Deletion & Export

Account Deletion: Upon request to cancel your subscription, all your data will be permanently deleted within 30 days.
Data Export: Before deletion, you can export all your data in standard formats (CSV, JSON) through our application.
Verification: We will confirm completion of data deletion upon request.

Data Minimization

We follow strict data minimization principles, collecting only the data necessary to provide our invoice analytics services. We do not collect, retain, or process data for any purpose beyond delivering the services you've contracted.

Third-Party Services & Subprocessors

We partner with industry-leading infrastructure providers to deliver our service. All subprocessors operate within the EU and maintain strict security certifications. For each sub-processor that we use, we apply the principles of least privilege. This means that each third-party system shall only have access to the minimum data required to fulfill its purpose.

Company	Description	Location
Supabase	Database & Storage	Sweden
Google	Hosting	Finland
Google Vertex	Artificial Intelligence	EU Region
Vercel	Hosting	EU Edge Locations
Clerk	User authentication	EU Region
Inngest	Backend queuing system	EU Region
Sentry	Error monitoring	EU Region
Pydantic Logfire	Service monitoring	EU Region
Resend	Email Automation & Delivery	EU Region

Incident Response & Security Reporting

Security Incident Response

If Watchdog becomes aware of a security incident involving the destruction, loss, alteration, unauthorized disclosure of, or access to customer data, we will:

Notify affected customers within 72 hours of becoming aware of the incident.
Provide detailed information including the nature and consequences of the incident, measures taken to mitigate it, and investigation status.
Take immediate action to contain, investigate, and mitigate the incident.
Preserve security logs for a minimum of 12 months to support incident investigation and forensics.

Vulnerability Reporting

If you believe you have found a security vulnerability in Watchdog, please report it to us immediately.

Email: security@watchdog.no
Response Time: We aim to acknowledge all security reports within 24 hours.

We appreciate the contribution of the security research community and ask that you:

Do not access or modify data that does not belong to you.
Give us reasonable time to correct the issue before making it public.

Customer Audit Rights

We believe in transparency and are committed to demonstrating our security practices to our customers.

Upon request and at no additional cost, we will provide enterprise customers with:

ISO 27001 Certificate: Once obtained, we will share our certification documentation.
Penetration Test Summaries: Summary results of our most recently completed third-party penetration tests.
Security Documentation: Data flow diagrams and relevant security architecture documentation.
Compliance Reports: Evidence of our ongoing compliance with security standards and regulations.

To request audit documentation, please contact us at security@watchdog.no. Third-party auditors may be required to execute a confidentiality agreement prior to receiving detailed security documentation.

Customer Responsibilities

Security is a shared responsibility. To maintain the security of your Watchdog account and data, customers are responsible for:

Credential Management: Keep your login credentials confidential and do not share them with unauthorized parties. Enable Multi-Factor Authentication (MFA) where available.
Suspicious Activity Reporting: Promptly report any suspicious activities or potential security concerns to security@watchdog.no.
System Security: Keep your IT systems, browsers, and devices up-to-date with the latest security patches.
Data Authorization: Ensure you have proper authorization to upload and process any data through the Watchdog platform.
Access Management: Regularly review user access within your organization and promptly remove access for separated personnel.

Frequently Asked Questions

Is my data used to train AI models?

No. Your data is never used to train our AI models or Google's base models. Google Vertex AI is configured with strict privacy controls that prevent customer data from being used for model training. Documents are processed in memory and deleted within 24 hours.

Can Watchdog employees access my data?

Access to customer data is restricted to authorized support personnel only when required for troubleshooting specific issues. All internal access is logged and monitored. Watchdog employees do not have routine access to customer data.

Where exactly is my data stored?

All persistent data (databases and file storage) is stored in Stockholm, Sweden, using AWS's eu-north-1 region via Supabase. Application services run in Finland using Google Cloud Platform's europe-north1 region. Your data never leaves the European Union.

What happens if I cancel my subscription?

Upon request to cancel your subscription, you can export all your data in standard formats (CSV, JSON). All your data will then be permanently deleted from our systems within 30 days. We will provide confirmation once deletion is complete.

Is Watchdog ISO 27001 certified?

Watchdog is currently in pursuit of its ISO 27001 certification. In the meantime, we rely on industry-leading infrastructure providers (Google Cloud, AWS/Supabase, Vercel) which hold ISO 27001 and SOC 2 Type II certifications. Our security practices align with ISO 27001 standards.

Appendix

Description of the Technical and Organisational Security Measures implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Appendix 2 of the UK SCCs.

Technical and Organizational Security Measure	Details
Measures of pseudonymisation and encryption of personal data	Customer data is stored in a multi-tenant application with logical separation between Customer instances. Sensitive authentication information is encrypted on logical database level, and the database is encrypted at rest.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	All database-stored customer data is backed up daily using Supabase offered tooling which also provides restoring capabilities. Backups and restore capabilities are tested on an annual cadence.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Watchdog regularly monitors and tests controls to ensure they are operating as intended and updated as needed. Watchdog uses the software service Sprinto to automate several of these controls, including employee activity and adherence to Watchdog policies and procedures, infrastructure monitoring, and development procedures. Watchdog leadership monitors these controls regularly, and is notified immediately when a control is at risk so that prompt action can be taken. Watchdog is currently pursuing its ISO 27001 certification.
Measures for the protection of data during transmission	All data outside the Watchdog's private network is encrypted with HTTPS/SSL.
Measures for the protection of data during storage	Database is encrypted at rest and managed by Supabase.
Measures for ensuring physical security of locations at which personal data are processed	Watchdog does not operate physical servers or other infrastructure. For employer-provided computers: All Watchdog employees and contractors are required to enable a screen lock when the work computer is left unattended.
Measures for ensuring events logging	Watchdog has detailed event logging with automated alerts in case no events are tracked.
Measures for certification/assurance of processes and products	Watchdog is currently in pursuit of its ISO 27001 certification.
Measures for ensuring data minimisation	Data is collected to serve commercial or business purposes, such as providing, customizing and improving Services, marketing and selling the Services, corresponding with customers about Services, and meeting legal requirements. Watchdog will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing customer notice. More information about the data Watchdog collects and opting-out can be found in earlier sections of this DPA.
Measures for ensuring data quality	All data collection is instrumented by the Watchdog's software engineering team and all data collection changes are peer reviewed. Data is tested during development and verified after deployment.
Measures for ensuring limited data retention	Watchdog retains data as long as the Watchdog has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it is securely disposed of or archived. Watchdog, in consultation with legal counsel, may determine retention periods for data. Retention periods shall be documented in the Watchdog Data Management Policy, which can be provided upon request.
Measures for allowing data portability and ensuring erasure	Customer can ask for a copy of its Personal Data in a machine-readable format. Customer can also request that Watchdog transmit the data to another controller where technically feasible. The Service allows ability to export relevant application data in a standard CSV format. In the case that a customer wishes to exercise portability or erasure rights, the Watchdog has measures of retrieving securely stored data and has a process in place to ensure access is restricted only to those who have a business justification for accessing data during the copy, transfer, or erasure.
Technical and organizational measures of sub-processors	Watchdog collects and reviews the most security assessments from sub-processors on an annual basis.