Security at a glance

  • EU data residency (Ireland)
  • Encrypted in transit and at rest
  • SOC 2 Type 2 & ISO 27001-certified hosting
  • No CRM credentials required
  • Strict per-organisation data isolation
  • 72-hour breach notification
  • Data deleted after processing
  • DPA available on request

Security & Data Protection

Your data. EU-resident. Under your control.

Every contact record, every Trust Score, every decision is processed and stored in Datuma's EU environment (Ireland), isolated to your organisation. Datuma operates the pipeline. You decide what to act on, and you can export or erase your data at any time.

Where your data lives

The full contact record never leaves Datuma's EU environment. Only a targeted lookup request goes out. It comes back enriched.

Datuma's EU environment

Everything sensitive stays here, isolated to your organisation.

Name + organisation only

Encrypted in transit

Enriched data returns

Secure Data Service

Not sold or shared with any third party (DPA 8.1) · No data combined with other datasets (DPA 2.1.4) · No model training on your data (DPA 2.1.4) · 72-hour breach notification (DPA 5.5.1) · 60-day deletion guarantee post-contract (DPA 5.7) · Right to independent audit (DPA 5.8)

If Datuma has seen this contact in the last 90 days, no data leaves Datuma's environment at all. The cached result is reused. £0.00.

No new tools to install

Upload via the Datuma portal. Receive scored results by email. No additional software, no IT procurement, no configuration project.

No CRM credentials needed

We never access your CRM directly. You export a spreadsheet, we enrich it, you import what you choose.

No database access

Your CRM stays untouched. Datuma works alongside it, not inside it.

No integration project

No APIs for your team to configure. We handle all technical setup during implementation. Built in a day, operational immediately.

Five layers of protection. All at £0.00.

Before you pay to enrich anything, these five layers have already caught duplicates, reused cached results, and separated protected accounts. You only pay for fresh results.

Most enrichment tools charge credits for every lookup, even duplicates, even contacts you've already enriched, even your own customers. All five layers run before you pay to enrich anything, and Datuma is priced in pounds, not credits.

And when you do need fresh data, you only pay for fresh results, typically around £0.10 per enriched contact. Not a subscription. Not a platform fee.

How enrichment data is sourced

Enrichment data is sourced through a verified provider operating under a formal Data Processing Addendum. Your data is not merged with the provider's database, not used to train their models, and not sold or shared.

The provider holds lookup identifiers (name, email, LinkedIn URL) solely to deliver the service for the duration of the agreement. On termination, all data is deleted within 60 days. The provider's security programme is aligned with ISO 27001 and SOC 2 control frameworks, with encryption in transit and at rest.

Datuma aggregates and scores the results. Your team sees the confidence level for every data point and decides what to act on.

Where your data lives

Your data is processed and stored in Datuma's managed PostgreSQL environment, hosted in the EU (Ireland) on SOC 2 Type 2-compliant, ISO 27001-certified infrastructure, and encrypted in transit (TLS) and at rest (AES-256). Every record (enrichment results, contact identity records, Trust Scores, Verified Readiness levels, duplicate-detection memory, batch history, and protection lists) is tagged to your organisation and isolated from every other customer by database row-level security and application access controls.

The scoring logic itself (Trust Scores, Verified Readiness levels, Role or Company Change detection, duplicate matching) runs inside Datuma's EU environment as Edge Functions. Your contact data is scored in place; it is never sent to a third party for scoring.

During processing, minimal contact identifiers (name, email, LinkedIn URL) are sent to our enrichment API provider for lookup under a formal Data Processing Addendum. The provider holds these identifiers solely to deliver the service. They are not merged with the provider's own database, not used to train models, and not sold or shared. The provider returns professional and organisational data, which is written directly to your isolated records in Datuma's EU environment. Enriched results are not stored anywhere else.

If you terminate the service, your records remain yours to export, and are deleted on request. The enrichment API provider deletes all data associated with your account within 60 days of termination. We don't retain your contact data after you ask us to remove it.

Infrastructure partners

Database and storage

Supabase (managed PostgreSQL, EU-hosted in Ireland; SOC 2 Type 2-compliant and ISO 27001-certified infrastructure; per-organisation isolation enforced by row-level security; encrypted in transit via TLS and at rest with AES-256).

Enrichment API

Verified provider operating under DPA, security programme aligned with ISO 27001 and SOC 2, encryption in transit and at rest.

Email verification

EU-domiciled email-verification provider. Business email deliverability validation — confirms whether an address is reachable before outreach. Per-address lookups only; results stored in your isolated records in Datuma's EU environment.

Notification delivery

Email (Resend). Batch summary reports sent to nominated stakeholders.

Each partner operates under appropriate data processing agreements. A full sub-processor list is available as part of the security review pack.

Data retention

Enrichment cache: 90 days

Results from previous lookups are reused free within this window, then refreshed on the next batch.

Contact identity records: duration of service

Retained in your isolated records in Datuma's EU environment. The persistent memory that enables cross-batch duplicate detection and Role or Company Change detection.

Batch history and audit trail: duration of service

Retained in your isolated records in Datuma's EU environment. A complete record of every batch processed, every decision made, every duplicate flagged.

Raw file uploads: not stored long-term

Processed and not retained in the pipeline. Your original file remains in your local systems.

Enrichment API provider: agreement term + 60 days

Retains the minimal identifiers sent for lookup (name, email, LinkedIn URL) solely for the purpose of delivering the service. The provider cannot merge this data with their own database, use it for model training, or sell or share it. On termination, all data is deleted or returned within 60 days. Certified deletion available on request. The full enriched results returned by the provider are stored only in your isolated records in Datuma's EU environment. The provider holds the question, not the answer.

Email-verification provider: agreement term

Retains the email addresses sent for deliverability validation solely to perform the check. Cannot merge them with its own data, use them for model training, or sell or share them. On termination, all data is deleted or returned under the DPA. Validation results are stored only in your isolated records in Datuma's EU environment.

Post-termination

Your records and everything in them remain yours to export, and are deleted on request.

Your controls

Breach notification

In the event of a data breach affecting your contacts, we notify you within 72 hours with full details: what happened, what data was affected, and what steps are being taken. Our enrichment API provider operates under the same 72-hour notification commitment to us.

Audit rights

You have the right to audit our data processing. We provide documentation on request, answer technical questions in detail, and facilitate independent audits with reasonable notice. Our enrichment API provider offers equivalent audit rights under their DPA.

International data transfers

For international data transfers, our enrichment API provider operates under EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) with the Irish Data Protection Commission as the lead supervisory authority. A UK International Data Transfer Addendum supplements the arrangement for UK GDPR purposes. These mechanisms ensure that when contact data is sent for enrichment, the transfer meets the legal requirements for cross-border data processing.

Security review pack for your IT team

We provide a security review pack for your IT team's vendor approval process. It covers: data flow diagram showing exactly where your data goes, sub-processor list with security standards for each, data retention schedule with specific timeframes, breach notification process and SLA, audit rights summary, and DPA overview. Your IT team can complete their vendor review before you commit.

Request the security pack Start free

We reply within 4 hours, no commitment