Legal documentation — SILO Platform
SILO Platform Privacy Policy
1. Controller and scope
Ahkoris Lda, registered in Vila Nova de Gaia, Portugal, NIF (Portuguese Tax ID) 519402901 (hereinafter "Ahkoris" or "we"), develops and operates the SILO regulatory compliance management platform, delivered as a SaaS product.
Privacy contact: privacy@ahkoris.com
This Policy describes how Ahkoris processes personal data in connection with the SILO platform and distinguishes two separate roles:
- Data controller — for data collected directly to manage the contractual relationship with the customer (subscription, billing, platform access);
- Data processor (GDPR Art. 28) — for personal data that the customer enters into the platform in the course of its own compliance activities. That data is processed under the customer's instructions; the customer is the data controller for such data.
2. Data processed as controller (contractual relationship)
Ahkoris processes the following personal data as data controller:
- Identification and contact data — name, email address and company of the contact person who subscribes to or manages the SILO account;
- Authentication data — email address and password hash (bcrypt factor 12); passwords are never stored in plain text;
- Billing data — payment information processed by Stripe (see section 5); Ahkoris does not store card details;
- Technical records — IP address, browser type, access logs and audit log of platform actions, for security and legal compliance purposes;
- MFA configuration data — encrypted TOTP secret linked to the user account.
3. Data processed as processor (customer data)
When the customer enters personal data into the platform as part of their compliance activities (e.g. Records of Processing Activities, DPIAs, incident reports, risk assessments, vendor data), Ahkoris acts as a data processor under GDPR Art. 28.
The customer is the data controller for that data and is responsible for ensuring an appropriate legal basis and the fulfilment of data subject rights. Ahkoris processes such data solely in accordance with the customer's instructions and for the purposes defined in the Data Processing Agreement (DPA) concluded with each customer.
A model DPA is available at: silo-dpa.html
4. Purposes and legal bases (controller data)
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and managing a SILO account | Contract performance (Art. 6(1)(b)) |
| Authentication and access control (RBAC + MFA) | Contract performance + legitimate interests (Art. 6(1)(b) and (f)) |
| Billing and payment processing | Contract performance + legal obligation (Art. 6(1)(b) and (c)) |
| Sending transactional communications (account confirmation, security alerts) | Contract performance (Art. 6(1)(b)) |
| Platform security, fraud detection and auditing | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations (invoicing, log retention) | Legal obligation (Art. 6(1)(c)) |
5. Sub-processors and transfers
Ahkoris engages the following sub-processors to operate the SILO platform. Personal data processed by Ahkoris as controller may be transferred to these providers with appropriate safeguards in place:
| Provider | Purpose | Location | GDPR safeguard |
|---|---|---|---|
| Hetzner Online GmbH | VPS hosting, encrypted volumes, Object Storage (offsite backup) | Germany 🇩🇪 | EU-established. DPA concluded. |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland 🇮🇪 | EU entity. DPA concluded. |
| Brevo SAS | Transactional email delivery | France 🇫🇷 | EU-established. DPA concluded. |
| Sentry (EU region) | Error monitoring (data hosted in Frankfurt) | Germany 🇩🇪 | Data in EU. DPA concluded. |
| UptimeRobot | Uptime monitoring | Bulgaria 🇧🇬 | EU-established. No personal data. |
| GitHub (Microsoft) | Code repository and CI/CD — no customer data | USA 🇺🇸 | Microsoft DPA + SCCs. Code only. |
The SILO platform operates on 100% European infrastructure. All personal data is processed within the EEA, with no transfers to third countries (except source code on GitHub — no customer data). No transfers outside the EEA without appropriate safeguards.
6. Retention periods
| Data category | Retention period |
|---|---|
| Active account data | For the duration of the subscription |
| Cancelled account data | 30 days after cancellation (export available), then deleted |
| Billing data and invoices | 10 years (Portuguese tax obligation) |
| Access logs and security audit log | 90 days (NIST SP 800-53A AU-11) |
| Encrypted backups | Daily: 7 days | Weekly: 4 weeks | Monthly: 3 months |
7. Data subject rights
With respect to data processed by Ahkoris as controller, data subjects have the following rights under GDPR:
- Access — obtain confirmation that their data is being processed and a copy thereof;
- Rectification — correct inaccurate or incomplete data;
- Erasure — request deletion of data, except where processing is required by law;
- Restriction — restrict processing in certain circumstances;
- Portability — receive data in a structured, machine-readable format;
- Objection — object to processing based on legitimate interests.
To exercise rights regarding data entered by a customer into the platform, the data subject should contact the customer (data controller). For data processed directly by Ahkoris, contact: privacy@ahkoris.com.
You also have the right to lodge a complaint with the CNPD (Comissão Nacional de Proteção de Dados — Portuguese Data Protection Authority), Av. D. Carlos I, 134 — 1.º, 1200-651 Lisbon, Portugal, geral@cnpd.pt, www.cnpd.pt.
8. Security
The SILO platform implements advanced technical and organisational measures in accordance with NIST SP 800-53A Rev.5 controls, including:
- Encryption of volumes at rest — LUKS2 AES-256-XTS;
- Encrypted communications — TLS 1.2+ on all endpoints;
- Multi-factor authentication (MFA/TOTP) mandatory for privileged roles;
- Role-based access control (RBAC) with least-privilege principle;
- Immutable audit log of all platform actions (90-day retention);
- Continuous monitoring and vulnerability management.
In the event of a personal data breach that may affect data subjects, Ahkoris will notify the responsible customer without undue delay so as to enable compliance with the 72-hour notification deadline under GDPR Art. 33.
9. Cookies and sessions
The SILO platform uses strictly necessary cookies for:
- Authenticated session management (JWT/session token — expiry: 30 minutes of inactivity);
- CSRF (Cross-Site Request Forgery) protection.
No tracking, advertising or third-party behavioural analytics cookies are used on the SILO platform.
10. Changes to this Policy
This Privacy Policy may be updated. The version in force is always the one published at this address. Material changes will be communicated by email to active users with 30 days' prior notice. Continued use of the platform after the effective date constitutes acceptance of the changes.