ALVAO Trust Center

ALVAO is GDPR compliant. We process personal data only based on customer instructions and support customers in fulfilling their GDPR obligations, including data subject requests and breach notifications.

ALVAO holds ISO/IEC 27001:2022 certification covering the development, sale, implementation, provision and support of ALVAO Service Desk and ALVAO Asset Management, including cloud services.

Code of practice for information security controls for cloud services, building on ISO/IEC 27001.

Code of practice for protection of personally identifiable information (PII) in public cloud environments acting as PII processors.

ALVAO maintains a SOC 2 Type 2 report covering security, availability and confidentiality controls. The report is available on request.

Cyber Essentials certification demonstrating alignment with fundamental cyber security controls.

ALVAO implements appropriate technical and organizational measures to ensure a level of security appropriate to risk. We protect your data using modern security practices:

Access is governed by Role-Based Access Control (RBAC) following the least privilege principle, with Multi-Factor Authentication (MFA) and Single Sign-On (SSO) support.

ALVAO maintains audit logs providing full traceability of activity within the system.

Security monitoring and response processes are in place to detect and react to security events.

Our development follows best practices aligned with OWASP. We perform internal OWASP tests and product vulnerability scanning, including automated source code analysis prior to production deployment.

Regular third-party penetration tests are performed and aligned with OWASP security standards. Findings are mitigated according to their severity.

The ALVAO Security Whitepaper describes our security architecture, controls and processes in detail. It is available under NDA or upon justified request.

Your data remains yours. ALVAO acts as a data processor, while customers remain data controllers. The Privacy Policy explains:

• What personal data we process and why
• Legal basis under GDPR
• Your rights as a data subject and how to exercise them

Information about the cookies we use and how to manage your preferences.

The DPA is available as part of contractual documentation and governs the processing of personal data and transfer mechanisms.

Data classification is defined in alignment with contractual and regulatory requirements. The following table classifies the types of data processed by ALVAO ITSM and their respective handling policies.

Retention periods are defined in our Terms of Service and Data Processing Agreement.

ALVAO maintains high service availability with an uptime of 99.95% over the last 90 days.

Continuous 24/7 monitoring and alerting keeps our services under constant oversight. Planned maintenance is communicated to customers in advance.

Service levels, responsibilities and commitments are defined in our Terms of Service.

ALVAO may engage trusted subprocessors to deliver the service, while maintaining full responsibility for data protection.

ALVAO is built on a modern cloud-native architecture leveraging Microsoft cloud services to ensure high availability, security and scalability. Key services include Azure, Azure SQL Database, Azure Storage, Microsoft Entra ID and Azure Monitor / Application Insights.

All customer data is stored in EU data centers (unless otherwise agreed):

• Microsoft West Europe — Amsterdam, Netherlands
• Microsoft North Europe — Dublin, Ireland

For Czech e-Government cloud services, only the Microsoft West and North Europe regions are used.

UK data residency available via the Microsoft UK South region (London).

US data residency available via the Microsoft East US region (Virginia).

Customers can export their data in a structured format upon request or via available self-service tools, depending on the service configuration. Export may include tickets and records, configuration data, user and asset data, attachments and related metadata.

ALVAO supports customers in transitioning to another solution by providing data export in standard formats, assisting with migration planning upon request, and ensuring data integrity during the export process.

Upon termination of the service, customer data is deleted or anonymized in accordance with contractual obligations and retention policies, and backups are purged according to defined backup retention cycles.

ALVAO is committed to using AI in an ethical, legal and responsible way. We apply responsible and controlled use of AI features where applicable.

Detailed AI usage terms are defined in the ALVAO AI Addendum (where applicable). Where AI capabilities rely on external providers, data processing is governed by contractual safeguards and subprocessor agreements.

Our Terms of Service for software services, including processing of personal data (clause 16).

Licensing terms for ALVAO products and services. The newest version is always available online.

For full legal details regarding illegal content and appeals, please refer to our Terms of Service and Data Processing Agreement.