At Amirra, we prioritize the security, privacy, and reliability of your data. Our platform is designed to provide a safe and dependable environment for all users.

Hosting

Cloud Infrastructure: Amirra is hosted on Microsoft Azure, a leading cloud service provider known for its robust security, compliance, and reliability standards.

Data Residency: All data is stored within Microsoft Azure data centers located in the United States. We recognize some clients require in-region data storage for compliance; regional hosting in Europe, Canada, and APAC is part of our 2025 roadmap. Please contact us to discuss your specific data residency needs.

Data Security

Encryption: Data is encrypted both in transit (using TLS 1.2 or higher) and at rest using AES-256 encryption standards, ensuring information is secure as it moves between users and our servers, and while stored.

Access Control: Access to customer data is strictly limited to authorised personnel on an as-needed basis, following role-based access controls and least privilege principles.

Authentication: We require strong user authentication. Clients can integrate with Single Sign-On (SSO) providers such as Microsoft Azure AD, Okta, and Google Workspace for enhanced account security and streamlined access management.

Compliance

GDPR Compliance: Amirra is committed to General Data Protection Regulation (GDPR) compliance. We process and store personal data in line with applicable data protection laws and maintain appropriate Data Processing Agreements (DPAs) with our customers.

Data Privacy: We do not share customer data with third parties except as required to provide the Amirra service or comply with legal obligations.

Certifications: Amirra leverages Microsoft Azure’s ISO 27001, SOC 2, and GDPR compliance frameworks. Our internal SOC 2 Type II certification process is underway in 2025 to further demonstrate our security posture to clients.

Platform Reliability

Uptime: Amirra maintains a target uptime of 99.9%, leveraging Microsoft Azure’s global infrastructure for performance, scalability, and redundancy.

Backups & Recovery: Regular encrypted backups are performed with a standard Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of 4 hours to ensure data can be restored efficiently in the event of accidental deletion or system failure.

Incident Response

Breach Notification: Amirra has a documented incident response plan. In the event of a data breach affecting customer data, we will notify impacted clients without undue delay, in line with GDPR and applicable regulatory requirements.

Testing & Vulnerability Management: We conduct regular vulnerability assessments, code reviews, and penetration tests with external security partners to identify and remediate potential risks proactively.

Data Retention & Deletion

Retention Policy: Customer data is retained for the duration of the contract. Upon termination, data is securely deleted within 30 days unless otherwise requested, in line with GDPR data minimization principles.

Data Deletion Requests: Clients can request permanent deletion of user data at any time by contacting our support team or your Customer Success Manager.

Third-Party Integrations

Amirra integrates with select third-party tools to enhance your experience. All integrations undergo security and compliance reviews, and Data Processing Agreements are maintained with all vendors handling personal data.

Responsible Disclosure

If you believe you have found a vulnerability or security issue within the Amirra platform, please report it to support@amirra.io. We take all disclosures seriously and will work with you to verify and address any findings promptly.

Our Role Under GDPR

Amirra acts primarily as a Data Processor on behalf of our clients, who are the Data Controllers of their employee and organisational data. In some instances, Amirra may act as a Data Controller for operational data such as user support interactions or marketing contacts.

Data Processing Agreement (DPA)

We offer a comprehensive Data Processing Agreement outlining our data protection obligations under GDPR. Clients can request a copy of our DPA by contacting support@amirra.io. This agreement includes:

Scope and nature of processing
Subprocessor commitments
Technical and organisational security measures
Data Subject Rights support

Subprocessors

To provide our services efficiently, Amirra engages with a small number of trusted subprocessors. These include Microsoft Azure for secure cloud hosting, with data stored in the United States for US-based clients and in Germany for clients located outside the US, ensuring data residency compliance. We also work with select integration providers, such as email delivery and authentication partners, to enable platform features. All subprocessors are contractually required to maintain data protection and security standards equivalent to our own. We will notify clients in advance of any intended changes to these subprocessors, as required under GDPR Article 28(2).

Data Subject Rights

Amirra supports clients in fulfilling Data Subject Access Requests (DSARs), including requests for:

Access to personal data
Correction of inaccurate data
Deletion of data (Right to be Forgotten)
Data portability requests

Please contact support@amirra.io for assistance with DSARs.

International Data Transfers

Where personal data is transferred outside of the EU/EEA, Amirra ensures appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Hosting on Microsoft Azure, which maintains GDPR compliance and robust security standards

Data Retention

Personal data is retained only for as long as necessary to fulfil contractual obligations or legal requirements. Upon termination of services, client data is deleted within 30 days, unless otherwise agreed in writing.

Security Measures

Amirra employs technical and organizational measures to protect personal data, including:

Encryption at rest and in transit
Role-based access controls
Regular vulnerability assessments and penetration testing

Breach Notification

In the event of a personal data breach affecting client data, Amirra will notify impacted clients without undue delay and within the timelines required by GDPR Article 33, providing all relevant details to support your regulatory reporting obligations.

Data Protection Officer (DPO)

For any GDPR-related queries or to exercise your data protection rights, please contact our Data Protection Officer at: supp

Continuous Improvement

We regularly review and update our security controls, policies, and practices to meet evolving industry standards and ensure the ongoing safety and reliability of our platform.