Security & Data Protection

Q: Security & Data Protection

Your data stays in Google Cloud, Belgium. GDPR-compliant, DPA available, no tracking, no AI training on your content.

Data residency

All customer data is stored in Google Cloud, europe-west1 region (Belgium). This covers your site’s pages, documents, media files, and access records. There are no secondary copies in other regions. The servers running the platform and serving your published site operate exclusively in this region.

Transformento S.L. is the data controller. We are a Spanish company, registered in Málaga, and subject to GDPR as an EU entity.

Legal basis for processing your data:

Your site’s content and documents: performance of our contract with you
Visitor enquiries submitted through your site: legitimate interest
WhatsApp business messaging where you have opted in: consent

Data Processing Agreement: Available on request. Email us at support@comstack.ai and we will send you a DPA to sign before your project goes live.

Sub-processors: We use the following third-party services to operate the platform. Each receives only the data needed for their function. We do not sell or share your data for commercial purposes.

Service	Role	Data processed	Location
Google Cloud (Google LLC)	Database, file storage, and site hosting	Your content, pages, and media	Belgium (europe-west1)
Google Sign-In (Google LLC)	Team authentication	Email address and display name of your team members	EU
Cloudinary Ltd	Media hosting	Images you publish to your site	EU
Anthropic PBC	AI assistant integration	Content and instructions during AI assistant sessions	US
Meta Platforms / WhatsApp	Business messaging	Phone number and message content	EU/US

What data your visitors’ voice interactions generate

When a visitor uses the voice interface on your site, their question is processed in real time and answered using your site’s own content. Voice queries are not stored on ComStack servers beyond the duration of the conversation.

We do not use visitor queries to train any AI model. Your visitors’ conversations are not reviewed by ComStack personnel unless you explicitly request support for a specific issue.

If a visitor provides personal information during a voice conversation — for example, their name or contact details — that information becomes part of your site’s interaction data. As the site operator, you are the data controller for your visitors’ personal data, and your own privacy policy and GDPR obligations apply.

What data your content and site generate

Your published content — pages, documents, and media — is stored in Google Cloud (Belgium). ComStack does not use your content for any purpose other than serving your site to visitors and generating the automatic translations you have enabled.

We do not run visitor analytics on your behalf, and we do not add third-party tracking scripts to your site. No cookies are set on your visitors by the ComStack platform.

Security architecture

Encryption: All data is encrypted in transit using TLS. Data at rest is encrypted by Google Cloud’s storage infrastructure.

Access control: Access to your project is role-based. Only the team members you invite — as managers or editors — can change your site’s content. Administrative access to the underlying infrastructure is limited to ComStack personnel with a documented need. Every management action on your project is logged in an immutable record, so we can reconstruct exactly what happened and when.

How the management interface is protected: When an AI assistant connects to manage your site, it authenticates through a time-limited token — it never receives your password or credentials. Access tokens expire after 1 hour; session tokens expire after 30 days. If a token is reused in a way that suggests it has been compromised, the entire session is revoked immediately.

Publishing content to your live site requires a two-step process: the system first presents a list of exactly what will change, and a separate confirmation is required before anything goes live. This prevents accidental or unauthorized publishes. If a published change turns out to be wrong, it can be reversed: the platform takes a snapshot before every publish, and a single call restores your site to the previous state within one hour of the publish going live.

Incident response: If a security incident affects your project data, we will notify you within 72 hours of becoming aware. The notification will describe what happened, which data was involved, and the steps we are taking. This meets the GDPR breach notification requirement (Art. 33).

Who built this and who runs it

ComStack is built and operated by Transformento S.L., a company registered in Spain:

Transformento S.L. Calle Graham Bell, 6 – 1, Oficina 12 29590 Málaga, Spain Email: support@comstack.ai Phone: +34 919 935 235

We are a small team based in Southern Spain. If you have a security or compliance question that this page doesn’t answer, write to us directly. We respond to serious security and GDPR questions within one business day.

For our full privacy policy, see the Privacy Policy.

Questions we get asked

Can I sign a Data Processing Agreement?

Yes. Email support@comstack.ai with your company name and registered address. We will send you a DPA to sign before your project goes live. The DPA covers all sub-processors listed in the GDPR section above.

Where exactly is my content stored?

Your content — pages, documents, and media — is stored in Google Cloud, europe-west1 region, Belgium. No data is replicated to regions outside the EU.

Who has access to my site’s data?

The team members you have invited to your project. ComStack staff may access your project for technical support purposes, and all such access is logged. We do not grant any third party access to your content except through the sub-processors listed above, for the purposes described.

Is my content used to train AI?

No. Your content is used only to serve your site to visitors and to generate the translations you have enabled. It is not shared with any AI provider for training purposes.

What happens to my data if I cancel?

Your published site remains live until you request its removal. On request, we delete your project content, media, and stored access records. We confirm deletion in writing. Records required for legal compliance — such as tax and audit records — are retained for the minimum period required by applicable law.

What happens if there is a security breach?

We notify you within 72 hours of becoming aware of any breach that affects your personal data. Every management action on your project is logged, which means we can provide you with a precise account of what occurred and what data was involved.