Beta This Trust Center describes the target state at product launch. Components currently in operation are marked active; planned components are marked planned.
Trust Center

Your data belongs to you.

How Wareed will protect your emails and customer data. Clearly documented, EU-focused, GDPR-compliant by design. Without the marketing fluff.

Four Principles

Where we will never compromise.

EU hosting

All production data in EU data centers. Planned: Hetzner Falkenstein (Germany) for application data. The current landing page runs via Cloudflare Pages (DPF-certified, SCCs).

No AI training on your data

Your emails are not used to train AI models. Anthropic, under its Commercial Terms, does not use API content for model training.

Encryption

TLS 1.3 in transit. API keys and secrets live only as environment variables, never in code. Dashboard access is protected by an admin token with constant-time comparison (defends against timing attacks). Planned: at-rest disk encryption and multi-user passwords with bcrypt.

You stay in control

One-click deletion. Full data exports anytime. No lock-in. Cancel any time, effective end of month.

Data processing

What we will store. And what we won't.

Full transparency about the planned architecture. You see exactly which data Wareed will process.

Data type
Location
Retention
Status
Email content
Inbound & generated replies
EU servers (planned: Hetzner)
90-day rolling window
planned
SOPs & knowledge base
Documents you upload
EU servers
Until you delete them
planned
Account data
Name, email, login
EU servers
Contract term + 30 days
planned
Usage statistics
Email volume, confidence scores
EU servers
12 months
planned
Payment data
We don't store credit cards
— at Stripe (PCI-DSS)
not on our side
Email attachments
Not processed
never processed

Last updated: May 2026 · Status "planned" = architectural decision finalized, implementation to follow before product launch · Changes will be announced at least 30 days in advance.

Subprocessors

Who we will work with.

Planned list of all third parties with data access. A DPA with each provider will be signed before product launch.

Anthropic USA · DPF-certified

AI processing of emails (Claude API). Per Anthropic's Commercial Terms, API content is not used for model training.

DPA in preparation
Hetzner Online Germany · ISO 27001

Server hosting in Falkenstein. Intended for application servers at product launch.

DPA in preparation
Cloudflare USA · DPF-certified · SCCs

CDN, DDoS protection and SSL for the landing page (active). Planned for production app endpoints with an EU caching strategy.

active
Stripe Ireland (EU) · PCI-DSS Level 1

Payment processing. We never see card data.

DPA in preparation
Compliance

Standards we will meet.

GDPR

Architecture designed to be GDPR-compliant. DPA template in preparation.

in preparation
EU AI Act

Designed around the transparency obligations for AI systems.

planned
ISO 27001

Certification targeted for 2027. Our hosting provider is already ISO-certified.

2027 planned
Frequently asked

What legal teams typically ask.

Will our emails be used to train AI?
No. Anthropic (our planned AI provider) does not use API content for model training under its Commercial Terms. Wareed itself does not train models on your data. Both will be contractually committed in the DPA with you.
Where is the data stored?
Planned: German data centers (Hetzner Falkenstein) for application and email data. AI processing via Anthropic uses Standard Contractual Clauses (SCCs); Anthropic is DPF-certified. As soon as Anthropic offers EU endpoints, we'll evaluate migration.
Who has access to our email content?
Nobody other than the system itself. Wareed staff have no default access to customer email content. In support we only see metadata (volume, categories, confidence scores). Exception: explicit, scoped authorization from you for a specific support ticket.
What happens if Wareed becomes insolvent?
In the event of insolvency, all customers receive 60 days of access to full data exports before shutdown. This is set out in the DPA. Also: because Wareed only synchronizes your emails (rather than migrating them), your original messages always remain in your Gmail/Outlook — Wareed is a layer on top, not a replacement system.
How quickly can we have all our data deleted?
Immediately. The dashboard will include a "delete all data" button (with a safety confirmation). All content is removed from active systems within 24 hours. Backups are rotated and overwritten within 30 days. A confirmation email with a deletion log is sent automatically.
What happens in case of a data breach?
Within 72 hours (as required by GDPR): full notification to all affected customers, including (1) the nature and scope of the breach, (2) likely consequences, (3) mitigations taken, (4) contact for follow-up. In parallel: notification to the competent data protection authority.
Can Wareed be integrated into our existing security architecture?
Planned for Enterprise: Single Sign-On (SSO) via SAML/OAuth, IP allow-listing, audit logs streamed to your SIEM, and Bring-Your-Own-Encryption-Key (BYOK) for highly sensitive setups. Reach out for tailored requirements.
Is Wareed suitable for regulated industries?
We currently don't recommend Wareed for industries with the highest compliance requirements (banking, hospitals handling patient records, insurers handling health data). ISO 27001 certification is targeted for 2027. Still, feel free to reach out — case-by-case review is possible.

Whitepaper for Legal & IT teams

Full technical and legal documentation as a PDF. Ready to forward to your data protection and security teams.

Also available in German and Arabic.

Need a tailored version for your company? info@wareed.de