Security & Data Sovereignty

Your data. Your environment. Your decision.

Every contact record, every Trust Score, every decision lives in your dedicated database. Datuma operates the pipeline. Your data stays in your environment.

No new tools to install

Upload via Slack. Receive results via email. Both tools your team already uses. No additional software, no IT procurement, no configuration project.

No CRM credentials needed

We never access your CRM directly. You export a CSV, we enrich it, you import what you choose.

No database access

Your CRM stays untouched. Datuma works alongside it, not inside it.

No integration project

No APIs for your team to configure. We handle all technical setup during implementation. No middleware to maintain, built in a day, operational immediately.

Five layers of protection at £0.00

Every layer runs against your dedicated Supabase database. Duplicate detection memory, contact identity records, cached enrichment results, and protection lists all live in your instance. Datuma operates the pipeline — your data stays in your environment.

Account Protection

Contacts at protected organisations separated before enrichment. Zero credits.

Duplicate Detection

Within-batch and cross-batch. Your team reviews every match.

Contact Identity

Persistent memory across batches. Knows who has been seen before.

New Job Detection

Catches when contacts change organisations. Previous details preserved.

Trust Score (0–100)

Transparent scoring. Your team sees exactly why each contact scored what it did.

How enrichment data is sourced

Enrichment data is sourced through a verified provider operating under a formal Data Processing Addendum. Your data is not merged with the provider's database, not used to train their models, and not sold or shared.

The provider holds lookup identifiers (name, email, LinkedIn URL) solely to deliver the service for the duration of the agreement. On termination, all data is deleted within 60 days. The provider's security programme is aligned with ISO 27001 and SOC 2 control frameworks, with encryption in transit and at rest.

Datuma aggregates and scores the results — your team sees the confidence level for every data point and decides what to act on.

Your data, your database

During implementation, we provision a dedicated Supabase PostgreSQL database for your organisation (EU, Frankfurt). This is your instance. All enrichment results, contact identity records, Trust Scores, AI Automation Levels, duplicate detection memory, batch history, and protection lists live here.

The scoring logic itself — Trust Scores, AI Automation Levels, New Job Detection, duplicate matching — runs inside your Supabase environment as Edge Functions. Your contact data doesn't leave your infrastructure for scoring.

During processing, minimal contact identifiers (name, email, LinkedIn URL) are sent to our enrichment API provider for lookup under a formal Data Processing Addendum. The provider holds these identifiers solely to deliver the service — they are not merged with the provider's own database, not used to train models, and not sold or shared. The provider returns professional and organisational data, which is written directly to your Supabase instance. No enriched results are stored outside your database.

Workflow orchestration runs on n8n Cloud. Contact data passes through the automation engine during processing but is not permanently stored there — all results are written back to your Supabase instance.

If you terminate the service, your Supabase database and everything in it remains yours. The enrichment API provider deletes all data associated with your account within 60 days of termination. We don't maintain a long-term copy of your contact data outside your environment.

Infrastructure partners

Database and storage

Supabase (PostgreSQL, your dedicated instance).

Workflow automation

n8n Cloud.

Enrichment API

Verified provider operating under DPA, security programme aligned with ISO 27001 and SOC 2, encryption in transit and at rest.

Notification delivery

Slack (your existing workspace).

Each partner operates under appropriate data processing agreements. A full sub-processor list is available as part of the security review pack.

Data retention

Enrichment cache — 90 days

Results from previous lookups are reused free within this window, then refreshed on the next batch.

Contact identity records — duration of service

Retained in your Supabase instance. The persistent memory that enables cross-batch duplicate detection and New Job Detection.

Batch history and audit trail — duration of service

Retained in your Supabase instance. A complete record of every batch processed, every decision made, every duplicate flagged.

Raw CSV uploads — not stored long-term

Processed and not stored in the pipeline. Your original file remains in your Slack channel history (governed by your Slack retention policies).

Enrichment API provider — agreement term + 60 days

Retains the minimal identifiers sent for lookup (name, email, LinkedIn URL) solely for the purpose of delivering the service. The provider cannot merge this data with their own database, use it for model training, or sell or share it. On termination, all data is deleted or returned within 60 days. Certified deletion available on request. The full enriched results returned by the provider are stored only in your Supabase instance — the provider holds the question, not the answer.

Post-termination

Your Supabase instance and everything in it remains yours.

Your controls

Breach notification

In the event of a data breach affecting your contacts, we notify you within 72 hours with full details: what happened, what data was affected, and what steps are being taken. Our enrichment API provider operates under the same 72-hour notification commitment to us.

Audit rights

You have the right to audit our data processing. We provide documentation on request, answer technical questions in detail, and facilitate independent audits with reasonable notice. Our enrichment API provider offers equivalent audit rights under their DPA.

International data transfers

For international data transfers, our enrichment API provider operates under EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) with the Irish Data Protection Commission as the lead supervisory authority. A UK International Data Transfer Addendum supplements the arrangement for UK GDPR purposes. These mechanisms ensure that when contact data is sent for enrichment, the transfer meets the legal requirements for cross-border data processing.

Security review pack for your IT team

We provide a security review pack for your IT team's vendor approval process. It covers: data flow diagram showing exactly where your data goes, sub-processor list with security standards for each, data retention schedule with specific timeframes, breach notification process and SLA, audit rights summary, and DPA overview. Your IT team can complete their vendor review before you commit.

See how it works Have questions? Book a quick call →

10% of Datuma's setup and annual fees funds local charities: counsellors, playworkers, and nurses. Not a tax deduction. A direct transfer from our margin. Learn more