Privacy policy

SodaSoft is the data controller for marketing and account data. For customer workspace content, SodaSoft acts as a data processor on behalf of the customer, with the customer as controller.

You can reach our privacy contact at ratomir@ratomir.com.

Account data: your work email, magic-link authentication events, last sign-in timestamp.

Workspace data: the ISMS content you place in AFEND (scope, risks, controls, policies, evidence files, audit findings, management review minutes, member roles).

Billing data: when you subscribe, Stripe collects and processes payment details. We store a Stripe customer and subscription identifier and receive webhook events (no card numbers).

Operational data: minimal server logs (timestamp, path, status code, anonymized IP) used to protect the service and diagnose issues.

Contractual necessity: to provision and operate the workspace you asked us to create (Art. 6(1)(b) GDPR).

Legitimate interests: securing the platform, preventing abuse, computing readiness metrics on your own data (Art. 6(1)(f) GDPR).

Legal obligations: responding to lawful requests and keeping minimal audit trails of sensitive admin actions (Art. 6(1)(c) GDPR).

Consent: transactional email is contractual; we do not send marketing without prior opt-in.

Primary storage is in the European Union (Frankfurt region). We use Supabase (Postgres + Storage + Auth) and Vercel (application hosting) as sub-processors. Payment processing uses Stripe. A current list of sub-processors is available on request.

Account and workspace data: for the life of your account plus a 30-day grace period after termination, unless you ask for immediate deletion.

Admin action logs: append-only, retained for at least 12 months for security and auditability. They do not contain your workspace content.

Operational logs: typically 30 days, then discarded or aggregated.

Subject to GDPR Articles 15-22 you can request access, rectification, erasure, restriction, portability, and object to processing based on our legitimate interests. You can export your workspace data as a readiness pack directly from the app at any time.

To exercise a right, email ratomir@ratomir.com. We respond within 30 days. You may also lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection or your local supervisory authority in the EU.

We apply layered controls consistent with the ISO/IEC 27001 framework we help customers prepare: encryption in transit (TLS), encryption at rest (Supabase-managed), row-level security on every tenant-scoped table, workspace-scoped object storage, magic-link authentication (no passwords stored), append-only audit logging of sensitive admin actions.

AFEND uses strictly-necessary cookies for authentication (Supabase session cookies) and the active-workspace preference. We do not use third-party advertising or behavioral tracking. We do not embed analytics SDKs without consent.

AFEND is a B2B product and not directed at children under 16. We do not knowingly collect personal data from children.

Material changes to this policy will be announced at least 30 days before they take effect. Non-material updates (clarifications, sub-processor additions) will be reflected here with a new effective date.