Data Security, Privacy & AI Governance | Valenta
Security & Privacy

Your data is safe
with us. Here is the proof.

Security and privacy questions come up early in every conversation — and they should. This page answers what procurement, IT, legal, and compliance teams ask us most often. If you need additional documentation, a completed security questionnaire, or a technical review call, contact your Valenta Managing Partner.

Speak to a Managing Partner →
ISO 27001 Certified
Information Security Management
Aligned with SOC 2 Type II Principles
Security & Confidentiality
GDPR & HIPAA
EU, UK & US Healthcare
Microsoft Azure
Enterprise-grade infrastructure
Certifications
Valenta Certifications
Regulatory alignment
ISOISO 27001
SOC 2SOC 2 Type II
EUGDPR
UKUK GDPR
HIPAAHIPAA
AustraliaAustralia Privacy Act
CanadaPIPEDA
Automation & RPA
All security controls in this document apply. AI governance section is for reference if AI is introduced in a later phase.
Data Integration & Analytics
All security controls apply. No AI model is involved in data pipelines or deterministic analytics. AI governance applies if AI is added.
Data & AI Engagements
All security controls apply, plus the AI governance section in full. Full AI governance documentation is available on request.
Staff Augmentation
All security controls apply, including endpoint protection, access management, and device policies for Valenta personnel.
How your data is handled

Your data is yours. Full stop.

Valenta accesses only the data required to deliver the agreed solution. Your data is never repurposed, shared with other clients, or used to train any AI or machine learning model — on any engagement type, without exception.

Data minimization by default

We access only what is needed to deliver the solution. No additional data is accessed, retained, or repurposed beyond the defined engagement scope.

No cross-client data exposure

Each client's data, pipelines, and environment components are fully isolated. Nothing is shared across client accounts, regardless of seniority or geography of the delivery team.

Your data is never used to train AI

Not on any engagement type, under any circumstances. All AI inference in our solutions is stateless per session. The model provider cannot learn from or retain your data.

Clean exit at engagement close

All Valenta access is formally revoked and confirmed to you in writing. Development and test environments are deleted once handover is confirmed.

Audit trail throughout

Pipeline execution logs, API call records, and access events are retained throughout the engagement and available for your review on request.

Offshore team, same controls

Our global delivery team operates under identical access controls regardless of location. Geographic location does not change the standard applied.

Infrastructure & deployment

Where your data lives

Valenta's automation services are deployed through UiPath Automation Cloud, a cloud-native enterprise platform hosted on Microsoft Azure with region-specific hosting options. Valenta offers two deployment models for all engagements. Both apply the same security controls. Your engagement letter confirms which applies to your project.

Model A: Client-Hosted

You control

The solution is deployed within your own cloud environment. You own and control all compute, storage, and network resources. Valenta has access only during the active engagement.

Data residency is determined by your cloud configuration and region settings.

Model B: Valenta-Managed

We manage

Valenta provisions and manages the infrastructure required to deliver the solution. You receive full access to the system, its outputs, and all associated assets.

Data residency is configured to meet your geographic and regulatory requirements before deployment begins.

In both models

  • Data in transit encrypted via HTTPS/TLS 1.2+
  • Data at rest encrypted via AES-256
  • Network access via approved IPs or VPN only
  • Platform aligned with ISO 27001 & SOC 2 Type II
  • Isolated, dedicated infrastructure per client
  • Data residency configured before deployment
Access & authentication

Who has access and how it is controlled

Access to client environments, data assets, and solution components is restricted to the Valenta team members assigned to your specific engagement only.

🔒

Engagement-scoped access only

Access is not shared across other clients or teams, regardless of seniority or internal role.

👤

Role-Based Access Control

Every user and service account is granted the minimum permissions required for their specific role. No implicit trust based on network location.

🔐

SSO and MFA enforced

Single Sign-On and Multi-Factor Authentication are required across all platform access points.

📋

OAuth2 only

All integrations with your source systems use OAuth2 or App-Based Authentication. Shared passwords and basic authentication are not used.

💾

Credentials never in code

API keys, tokens, and connection strings are stored in secure environment configuration only — never written into pipeline code or definitions.

🏫

Security training is mandatory

All team members complete required training before receiving access to any client environment. Completion is tracked and enforced.

AI governance

How we govern AI in your engagement

Valenta maintains a dedicated AI governance and security policy for all Data & AI engagements. These are the principles that govern every AI engagement.

1

Your data is never used to train AI

Not to train, fine-tune, or improve any AI model — whether proprietary to Valenta or provided by a third-party platform. No exceptions.

2

Stateless AI inference

When external AI APIs are called, no data is retained between sessions. The model provider cannot learn from or store your data.

3

Your data only, as inputs

AI models operate exclusively on data you have provided and control. General internet data or data from other clients is never used as input.

4

Human oversight built in

Where AI outputs inform significant decisions, human review is built into the workflow. AI outputs are supporting information, not autonomous decisions.

5

Every AI component documented before build

What model is used, what data it receives, what it produces, and the acceptance criteria — all reviewed and approved by you before development begins.

Need full AI governance documentation? For active engagements, Valenta provides detailed documentation covering the AI data lifecycle, model governance, artefact handling, and end-of-engagement obligations. Contact your Managing Partner to request it.
Governance & incident response

How we operate and what happens when something goes wrong

All Valenta engagements operate under a documented governance framework covering change management, audit trails, access reviews, and incident response.

Change management

All production deployments follow a documented change request process reviewed with you before implementation. No untested code reaches production.

Prompt incident notification

In the event of a confirmed security incident affecting your environment, you are notified promptly. A written root cause analysis and remediation report follows.

Full audit trail

Pipeline execution logs, API call records, data transformation records, and access events are retained and available for your review on request.

Regulatory breach cooperation

Valenta will cooperate fully with any regulatory breach notification obligations applicable to your organization and jurisdiction.

Access reviewed continuously

Access to your environment is reviewed at each sprint checkpoint and whenever team composition changes.

Environment segregation

Development, UAT, and Production environments are strictly segregated across all engagements. No untested configuration reaches production.

Regulatory alignment

Compliance frameworks we align with

Valenta's infrastructure and platform components are aligned with the following frameworks, as applicable to your industry and jurisdiction. Where your compliance framework requires specific control mapping, evidence documentation, or a completed security questionnaire, your Managing Partner will coordinate this directly with our team.

ISO

ISO 27001

Information Security Management. Applies across all engagements and delivery regions.

SOC 2

SOC 2 Type II

Security, Availability, and Confidentiality. Platform components aligned for enterprise-grade trust.

EU UK

GDPR & UK GDPR

EU and UK data protection. Valenta AI Limited is ICO registered (ZB518204). DPA available for all applicable engagements.

HIPAA

HIPAA

US healthcare engagements involving Protected Health Information. Business Associate Agreement available on request.

Australia

Australian Privacy Act 1988

Australian Privacy Principles apply to all Australian-domiciled engagements. NDB scheme compliance included.

Canada

Regional data sovereignty

PIPEDA (Canada), PDPA (Malaysia), Colombian Law 1581, and applicable local laws. Region-specific configuration available.

Common questions

What compliance and security teams ask us

Does Valenta use my data to train AI models?

No. Your data is never used to train, fine-tune, or improve any AI or machine learning model — on any engagement type, without exception. All AI inference is stateless, meaning no data is retained between sessions by the model provider.

Where is my data hosted?

Valenta offers two deployment models. In a client-hosted deployment, your data remains within your own cloud environment. In a Valenta-managed deployment, data is hosted on Microsoft Azure infrastructure with data residency configured to meet your geographic and regulatory requirements before deployment begins.

Is Valenta GDPR compliant?

Yes. Valenta's platform components and practices are aligned with GDPR for EU and UK engagements. For UK clients, Valenta AI Limited is registered with the Information Commissioner's Office (ICO) as a data controller and data processor (registration ZB518204). A Data Processing Agreement is available for all applicable engagements.

Is Valenta HIPAA compliant?

Yes, for US healthcare engagements. Where Valenta is engaged to perform services involving Protected Health Information on behalf of a Covered Entity or Business Associate, services are governed by applicable HIPAA requirements. Valenta shall not be deemed a Business Associate unless expressly agreed in writing.

Who from Valenta has access to my data?

Only the team members assigned to your specific engagement. Access is not shared across other clients or projects, regardless of seniority or location. All access is formally revoked at engagement close and confirmed to you in writing.

What happens to my data at the end of the engagement?

All Valenta access to your environment is formally revoked at engagement close. Development and test environments, temporary data copies, and test API connections are fully deleted once handover is confirmed. A written access revocation confirmation is provided.

Does Valenta have a Data Processing Agreement?

Yes. For UK engagements, a DPA is entered into upon commencement of services in accordance with Article 28 of UK GDPR. For EU engagements under Valenta GmbH, a DPA forms an integral part of every contract. Contact your Valenta Managing Partner to obtain the applicable DPA for your jurisdiction.

Does the risk profile differ between RPA and Data & AI engagements?

Yes, and we address this directly. Data & AI engagements involve broader data access, AI model interactions, and additional governance obligations. Valenta maintains a dedicated AI governance and security policy that covers the AI data lifecycle, model governance, stateless inference, human oversight controls, and end-of-engagement artefact handling. Contact your Managing Partner to request full documentation for a Data & AI engagement.

Have specific security or compliance questions?

Your Valenta Managing Partner can arrange a technical review call, provide additional documentation, or coordinate a completed security questionnaire. We work with your compliance team directly.