GDPR & data processing

• Your deal data is stored in a managed relational database in the EU/UK, encrypted at rest with AES-256 and in transit with TLS 1.2+.
• AI credit papers are generated using paid commercial LLM APIs (see section 5 for details). On paid API tiers, your data is not used to train any model — this is a contractual commitment from each provider, not a setting we toggle.
• Our application runs on global edge infrastructure. HTTPS terminates at the nearest edge node, then connects to the EU/UK database.
• You can access, correct, export, restrict or delete your data at any time by emailing privacy@assesr.com.
• Assesr is the data controller for your account and deal data. Lenders who receive a deal become independent controllers for the data they then process for credit-decisioning.

Here is exactly what happens when you submit a deal:

1. Upload — your browser sends documents over an encrypted TLS connection to the nearest edge node, then on to our application.
2. Storage — the original document is written to secure file storage in an EU/UK data centre. Extracted fields are written to the database in the same region.
3. AI extraction — text extracted from the document (not the raw file) is sent over TLS to our AI processing pipeline, which routes it to a commercial LLM provider. The response is returned in seconds and written back to the database.
4. Credit-paper generation — structured deal fields are sent to the LLM to generate a comprehensive credit paper. Same encrypted path as step 3.
5. Lender matching — the credit paper is shared, with your explicit consent, with lenders whose published mandate fits the deal. No data is shared with lenders until you click "Submit to marketplace".
6. Audit log — every read, write and lender access event is recorded in an append-only log for forensics and your own visibility.

Encryption at rest is provided by the infrastructure provider's server-side encryption and cannot be disabled. Backups are encrypted before they leave the database host.

• All public endpoints enforce HTTPS with TLS 1.2 or higher. HTTP requests are automatically redirected.
• HSTS is enabled with a long max-age; browsers refuse to downgrade.
• All internal service-to-service communication uses TLS 1.2+.
• Authentication cookies are flagged Secure, HttpOnly and SameSite=Lax.

This is the question lenders ask most often, so it gets its own section. Assesr does not host or train its own large language models. We send specific, structured data to commercial LLM APIs and write the response back into your deal.

5.1 Which providers are used

• Google (paid commercial Gemini API) — used for extraction and credit-paper drafting.
• OpenAI (paid commercial API) — used for selected analysis steps.

In both cases we use paid enterprise API tiers, not free consumer products. This distinction matters for GDPR because the data-use terms are materially different on paid tiers.

5.2 Where the inference physically runs

LLM requests leave our application over TLS and are executed in the model provider's own data centres. Both providers operate globally and route to the nearest healthy region.

• Google (paid API): typically processed in Google Cloud regions, which include EU regions. Google publishes Zero Data Retention support for eligible models on the paid tier.
• OpenAI (paid API): default processing region is the United States. OpenAI also offers EU data residency for eligible endpoints.
• Our application layer executes at the nearest edge node — for an EU/UK user, that means an EU/UK location.

5.3 Training & retention by the model providers

• OpenAI (paid API): since 1 March 2023 OpenAI does not use API inputs or outputs to train its models by default — this is contractual, not an opt-in. Limited abuse-monitoring logs may be held for up to 30 days, then deleted.
• Google (paid API): data is not used to train Google models. Eligible models additionally support Zero Data Retention — prompts and responses are not stored after the API call completes.
• Assesr: we do not retain the raw input after the response is written. We do retain the generated output (your credit paper) because that is the product you asked us to build.

5.4 What the LLM actually sees

We minimise what is sent to the model. The LLM receives only the extracted text and structured fields relevant to a single deal. It does not receive other users' data, your authentication tokens, your payment details, or data from any other deal.

5.5 No automated decision-making

The credit paper is a drafting aid for human credit teams. The LLM does not make a lending decision and we do not perform automated decision-making with legal or similarly significant effects on you within the meaning of Article 22 GDPR. A human underwriter at the lender always makes the final call.

The following third parties process personal data on our behalf under Article 28 GDPR. Each is bound by a Data Processing Agreement with appropriate safeguards.

We will notify customers in advance of material changes to this list. Email privacy@assesr.com to subscribe to sub-processor change notices.

Your primary deal data stays in the EU/UK. Where data is transferred outside the UK / EEA — primarily to the United States for some LLM inference, payments, and edge networking — we rely on the following safeguards:

• EU-US Data Privacy Framework (and UK Extension) — for transfers to certified US recipients including AWS, Google LLC and Cloudflare. The DPF is the adequacy decision that replaced Privacy Shield in July 2023.
• Standard Contractual Clauses (Module 2 or 3, EU Commission Decision 2021/914) plus the UK ICO Addendum — used as a fallback and for transfers to recipients not on the DPF list.
• Transfer Impact Assessments — completed for each material sub-processor and reviewed annually.

Under UK GDPR and EU GDPR you have the right to:

• Access (Article 15) — get a copy of the personal data we hold about you.
• Rectification (Article 16) — correct anything inaccurate.
• Erasure (Article 17) — "right to be forgotten", subject to legal record-keeping duties.
• Restriction (Article 18) — pause processing while a dispute is resolved.
• Portability (Article 20) — receive your data in a machine-readable format (we export to JSON/CSV).
• Object (Article 21) — object to processing based on legitimate interests, and to direct marketing at any time.
• Not be subject to solely automated decisions (Article 22) — see section 5.5.
• Complain to a supervisory authority — the UK ICO at ico.org.uk, or your local EU DPA.

To exercise any right, email privacy@assesr.com. We respond within 30 days (usually within 72 hours).

• Data-level isolation — each user can only access their own data; lenders only see deals they were explicitly sent.
• Role-based access control enforced at the database level — application code cannot bypass it.
• Re-authentication required for sensitive actions (submitting to marketplace, deleting data).
• Append-only audit log of every lender access event.
• Automated backups, monitored, with documented restore procedures.
• Vulnerability scanning on every deploy.
• Principle of least privilege for staff access; admin actions are logged.
• Full detail on the Security page.

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the UK ICO within 72 hours of becoming aware of it (Article 33 GDPR) and notify affected users without undue delay where the risk is high (Article 34).

Assesr is the data controller for personal data processed on the platform. For all privacy, GDPR or data-protection matters:

• Email: privacy@assesr.com
• General contact: hello@assesr.com
• Postal address available on request.

Enterprise / institutional customers can request our signed Data Processing Agreement, Transfer Impact Assessment and up-to-date sub-processor notice by emailing privacy@assesr.com.

The questions lenders, borrowers, compliance teams and DPOs ask most often — answered plainly without revealing proprietary implementation details.