Overview
Our approach to trust
Garba AI AB is a Swedish company headquartered in Malmö, building a B2B sales intelligence platform for European sales teams. The product captures, transcribes and analyses sales conversations — which means we're entrusted with some of our customers' most sensitive commercial data.
Security and GDPR compliance are treated as product requirements, not afterthoughts. Customer data stays in the EU by default. When processing leaves the EU, it's governed by Standard Contractual Clauses and DPF certifications.
This page is the canonical source of information for prospects, customers and security reviewers. For anything not covered here, email support@garba.ai.
Section 02
Compliance & certifications
GDPR
CompliantGarba processes personal data in accordance with the EU GDPR. Our DPA is incorporated by reference into every customer contract via our standard terms. A counter-signed copy is available on request.
EU data residency
DefaultAll primary processing infrastructure is hosted in the EU on Microsoft Azure (Sweden). AI inference is performed on EU-hosted infrastructure, using a combination of AWS, Google Cloud, and Microsoft Azure regions within the EU.
DPF (Data Privacy Framework)
Via sub-processorsWhere transfers to the US are necessary, they are covered by SCCs and/or DPF certification of the sub-processor.
Section 03
Security controls
The controls below are implemented across our production environment and reviewed regularly. Pulled from the technical and organisational measures of our DPA.
Encryption in transit
TLS (current versions) for all data in transit.
Encryption at rest
AES-256 symmetric encryption for stored data.
Key management
Encryption keys are managed securely with access restricted to authorised personnel.
Access control
Principle of least privilege with role-based access control (RBAC). Access reviewed, granted and revoked through a formal process.
Multi-factor authentication
MFA required for access to production environments and any system handling personal data.
Security monitoring
Continuous monitoring via Microsoft Defender for Cloud (CSPM), audit log analysis and automated alerts.
Application & vulnerability management
Enforced HTTPS, input validation and OWASP Top 10 protection, with dependency scanning via GitHub Dependabot and automated security checks in CI/CD.
Logging & traceability
All access and changes logged with user identity and timestamps. Logs are reviewed regularly.
Backups & recovery
Regular automated backups with redundant cloud storage, reproducible CI/CD deployments, 48-hour recovery objective.
Incident management
Documented incident response plan; 48-hour breach notification to customers.
Secure SDLC
Pull request reviews, automated security scanning, agentic code review for every change.
Sub-processor governance
Written agreements with every sub-processor imposing equivalent obligations to our DPA.
Data deletion
On termination: customer data available for export or return within 30 days; full deletion within 3 months; backups expire per rotation schedule.
Business continuity
Documented business continuity procedures cover adverse operational events. Recovery processes are tested periodically to verify they remain effective.
Audit rights
Customers may audit our compliance with the DPA. Audits are primarily remote, once per 12-month period, with 30 days' written notice. Third-party certifications and reports may satisfy audit requirements. Full terms in DPA §8.
Section 04a
How we use your data
You own your data
You retain all rights in the data you put into Garba: recordings, transcripts, CRM data, meeting metadata, and all AI-generated outputs (summaries, insights, analyses). This is committed in our Terms.
No cross-customer model training
We do not use your data to train, improve or develop AI models for the benefit of other customers. Where we use aggregated, anonymised data to improve the Service itself, no individual or company can be identified from it.
No automated decisions with legal effects
Garba does not make automated decisions that produce legal or similarly significant effects on individuals under GDPR Article 22. AI outputs are decision-support, not decisions.
Email ingestion
With customer configuration, Garba ingests and analyses email communications from connected email accounts (Gmail, Microsoft 365/Outlook). Customers control which emails are ingested through filter rules. Email content and metadata are retained per the customer's configured retention period and deleted within 3 months of account termination.
MCP server & third-party AI assistants
Customers may authorise third-party AI assistants (e.g. Claude, ChatGPT) to query Garba data via our Model Context Protocol (MCP) server. Access is scoped by the customer's access controls and limited to authorised users. Customers control which assistants are authorised.
AI-generated outputs may contain inaccuracies. Customers are responsible for reviewing outputs before acting on them. This is a shared-responsibility model: Garba provides the infrastructure and the model access; the customer exercises judgment on the output.
Section 04
Sub-processors
Garba provides customers with 30 days' notice of new or replacement sub-processors. Subscribe below to be notified when this list changes.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Hosting, cloud infrastructure, Azure OpenAI for AI processing | Sweden (Gävle) — EU | EU only | |
| Meeting bot & recording for Google Meet, Zoom, Teams | Germany (primary); limited ad-hoc US support access | SCCs (EU 2021/914) | |
| Speech-to-text transcription | France — EU | EU only | |
 Amazon Web Services EMEA SARL (Luxembourg) | AI analysis and summarisation (LLMs) via AWS Bedrock | EU (Bedrock EU inference profile, load-balanced across Frankfurt, Paris and London) | SCCs Module 3 + DPF |
| AI analysis and summarisation via Google Vertex AI (LLM inference) | Belgium (St. Ghislain) — EU | SCCs Module 3 + DPF | |
| Transactional email (meeting reminders, opt-outs) | Germany & Belgium — EU | EU only | |
| Card payment processing | Primary processing in Ireland — EU; transfers to Stripe LLC (US) for affiliate processing | SCCs + DPF | |
| In-app customer support & feedback | Germany — EU | EU only | |
| Identity, SSO, MFA | EU (AWS Frankfurt/Ireland) primary; limited US for support | SCCs + DPF |
Section 05
Data residency & transfers
Default location: EU/EEA
All primary processing infrastructure is hosted in the EU on Microsoft Azure (Sweden). AI inference is performed on EU-hosted infrastructure, using a combination of AWS, Google Cloud, and Microsoft Azure regions within the EU.
Transfers outside the EEA
No routine transfers outside the EEA for primary data. Limited ad-hoc support access by US sub-processors is governed by SCCs (EU 2021/914) and DPF certifications.
Standard Contractual Clauses
Where transfers are necessary, we use the 2021/914 SCCs as the primary transfer mechanism, with supplementary measures applied.
No model training on your data
Customer data is not used to train third-party foundation models. Our agreements with Azure OpenAI, AWS Bedrock, Google Vertex AI and Gladia explicitly prohibit such use.
Data portability
Customer data is available for self-service export at any time during the subscription term. On termination, all customer data is available for export or return in a commonly used, machine-readable format within 30 days, at no additional cost. Final deletion occurs within 3 months of termination; confirmation of deletion is available on request.
Section 06
Privacy & GDPR
What data we process
Names, job titles and email addresses; video and audio recordings, transcripts and uploaded video files; meeting metadata; email content and metadata from connected inboxes; AI-generated analytic outputs linked to identified individuals; and authentication and activity data (user IDs, IP addresses, device metadata). Full categories are detailed in Appendix 1.1, Section 3 of our DPA.
Email ingestion from customer inboxes
With customer configuration, Garba ingests and analyses email communications from connected accounts (Gmail, Microsoft 365 / Outlook). Customers control which emails are ingested through filter rules. Email content and metadata follow the customer's configured retention period and are deleted within 3 months of account termination.
Data subject rights
We respond to data subject requests within statutory timelines. Email support@garba.ai to exercise your rights.
Retention
By default, customer data (including audio recordings, transcripts and email content) is not deleted automatically — customers configure their own retention rules in the product.Meeting metadata: retained for the term of the agreement.Audit logs: 12 months for system/access logs, 3 years for audit logs.Backups: retained per rotation schedule (7 days to 3 years).All customer data is deleted within 3 months of account termination.
Response times for data subject requests
We respond to data subject requests within one month of receipt. For complex or high-volume requests, the response window may be extended by up to two additional months with written notice, as permitted under GDPR Article 12(3).
Special-category data
We do not intentionally process special-category (Article 9) personal data. Because meeting recordings and transcripts may incidentally capture such data, we apply technical and organisational measures appropriate to that risk, including encryption, access controls, and confidentiality obligations.
Supervisory authority
Garba AI AB is established in Sweden. The competent supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY). Data subjects may lodge complaints with IMY at www.imy.se.
Section 07
Documents & reports
Data Processing Agreement (DPA)
Incorporated by reference into every customer contract via our standard terms. Request access for a counter-signed PDF (link expires after 7 days).
Privacy Policy
How we collect, use and protect personal data. Request access and we'll send you the latest version.
Terms & Conditions
Standard terms governing use of the Garba platform. Request access and we'll send you the latest version.
TAC Security Test
Independent third-party security/penetration test report. Request access and we'll share the latest version (link expires after 7 days).
AI Addendum
Garba's AI policy addendum covering AI processing, sub-processors, and customer commitments. Request access and we'll send you the latest version.
Section 08
Incident response & breach notification
48 hours
Notification to affected customers of a confirmed personal data breach.
72 hours
Notification to the Swedish supervisory authority (IMY) of a reportable breach, where required.
Response plan
We maintain a documented incident response plan covering detection, containment, eradication, recovery and post-incident review. Plans are tested and updated regularly.
How customers are notified
Email to the registered security contact, plus in-app notifications. Updates continue until the incident is closed.
Communication channel
support@garba.ai for all incident-related communication.
Post-incident reports
Detailed post-incident reports made available to affected customers, including root cause and remediation steps.
Section 09
Frequently asked questions
Section 10
Contact & vulnerability disclosure
Get in touch
For any question — security, privacy, procurement, InfoSec questionnaires, vulnerability reports, or anything not covered on this page — email us. 90-day coordinated disclosure for vulnerabilities; we won't pursue legal action against good-faith researchers.
support@garba.aiSupervisory authority
Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) — the competent supervisory authority for Garba AI AB.
www.imy.se