AI Agents
Pricing
Integrations
Customers
About
Language

Sign up

Menu

Menu

Chat
Search
Inbox
Pricing
Customers
About us

Data and Security

At KARLA, security isn't just a feature—it's the foundation of our platform. We operate on a strict "Privacy by Design" principle, ensuring that enterprise-grade protection is built into every layer of our architecture.

Infrastructure and Data Storage

We are committed to transparency and process only the data strictly necessary to deliver our service, ensuring your information remains safe, private, and under your control.

To ensure the highest possible protection and compliance with the General Data Protection Regulation (GDPR), we have chosen an infrastructure focused on security and sovereignty.

  • Location: All data is stored on servers in Google’s data centers in Frankfurt, Germany.
  • No AI Training: We and our Partners, do not use the data generated through the use of our solutions (e.g., your customers' questions) to retrain our AI models. Your data remains yours.
  • Backups & Disaster Recovery: We perform automatic daily backups of our databases to prevent data loss. Our infrastructure is designed with redundancy to ensure high availability, and we have a Disaster Recovery Plan in place to restore services quickly in case of major incidents.

Flexible Logging and Retention

We store necessary data, such as conversation logs, solely for statistics, quality control, and billing purposes. We offer full flexibility regarding how long this data is retained.

By default, all conversation logs are automatically deleted after 1 year, but you can choose a shorter retention period that aligns with your internal policies:

  • 1 day
  • 3 days
  • 14 days
  • 30 days
  • 90 days
  • 6 months
  • 1 year (Default)

When the selected period expires, the data is automatically deleted. This ensures we continue to comply with our Data Processing Agreement (DPA) and respect the data subjects' right to be deleted ("Right to be forgotten").

Security Measures & Protocols

We employ extensive security measures to protect personal data against unauthorized access and loss.

  • Encryption: Data is encrypted both during transfer (in transit) using TLS 1.2+ and during storage (at rest) using industry-standard AES encryption.
  • Access Control: Strict management of access rights based on the principle of least privilege.
  • Incident Management & Notification: We have established rigorous incident response procedures. In the unlikely event of a data breach, we are committed to notifying the data controller without undue delay and strictly within the 72-hour timeframe mandated by GDPR.
  • Staff Confidentiality & Training: All KARLA employees are subject to strict confidentiality agreements. Furthermore, our team undergoes regular security awareness training to ensure they are up-to-date on the latest phishing tactics and data protection best practices.
  • Sub-processors: We impose the same high standards for data security and data protection on our sub-processors as we are subject to ourselves. All sub-processors are subject to contractual obligations in accordance with GDPR.

Compliance and Third-Country Transfers

We are transparent about our data flows and compliance setup.

Transfers to Third Countries

Although our primary servers are located in the EU, we use vendors such as Google and Microsoft, which are US-based companies. Therefore, we have secured the legal basis for any third-country transfers:

  1. Microsoft and Google: Transfers take place in accordance with the EU-U.S. Data Privacy Framework.
  2. Redis: We have entered into an agreement based on the European Commission's Standard Contractual Clauses (SCC). This is combined with a completed Transfer Impact Assessment (TIA) to ensure a level of protection essentially equivalent to that within the EU/EEA.
ISAE 3000 Report

We regularly undergo independent audits of our security. You can download our latest assurance report here:

Download Karla ApS ISAE 3000 GDPR Report for 2025

Protection Against Sensitive Information

While we cannot guarantee that an end-user will never input sensitive information, we have built a range of tools to minimize the risk:

  • Interface Disclaimer: A fixed text in the chat interface (default: "Do not provide personal information") reminding the user of safe behavior. This can be customized to match your "Tone of Voice."
  • Start Message: Can be configured to proactively request that users do not submit personal data.
  • Data Masking: We offer a masking functionality that automatically identifies and blurs potential sensitive data (social security numbers, names, etc.) in chat logs and responses if the user inputs them anyway.

As the data controller, you also have the ability to manually delete specific conversations or export data upon request from a data subject.

Technical Info: Cookies and IP Addresses

To ensure transparency regarding tracking and technical storage:

IP Addresses

We log IP addresses in server logs for 7 days for security, troubleshooting, and protection against abuse (e.g., DDoS attacks). The legal basis for processing is "legitimate interest." After 7 days, these logs are automatically deleted.

Cookies and Local Storage

Our solutions sets no cookies.

Instead, we use Local Storage in the user's browser. This is a technical necessity to:

  1. Remember conversation history if the user navigates around the page or refreshes the browser.
  2. Prevent welcome messages from "popping up" unnecessarily multiple times.

Since this storage is strictly technically necessary for the function to work, KARLA does not require separate cookie consent and should not be blocked by your cookie banner (cf. regulations on technical/necessary cookies).

Have Questions?

If you have additional questions regarding our security, compliance, or Data Processing Agreement, you are always welcome to contact our DPO or support team at compliance@getkarla.ai.

About
Data & Security
Implementation
Partnership
Contact us
support@getkarla.ai

© 2026 KARLA APS | NIELS HEMMINGSENS GADE 20B, 1153 COPENHAGEN K, DENMARK | CVR: 43786911