Choicely Security Overview

Last updated: April 13, 2026 • For procurement, IT, and security review

This document summarizes how Choicely protects customer data on the Choicely platform and the Choicely AI app builder (the “AI Builder”). It is intended to support customer security reviews. Detailed contractual commitments are in our Terms of Service, Privacy Policy, and Data Processing Addendum (DPA).

Service architecture

Hosted on Google Cloud Platform with regional redundancy and managed-service hardening.
Customer can choose EU or US data residency for the platform; EU is the default.
Logical separation between customers; production data is not used in development environments.
Continuous deployment with code review, automated testing, and progressive rollout controls.

Data protection

Encryption in transit using TLS 1.2 or higher for all public endpoints.
Encryption at rest in primary databases and object storage.
Pseudonymization of operational logs and AI Builder telemetry where reasonably possible.
Documented retention windows with deletion within 30 days of account closure (90 days for backups), as set out in the Privacy Policy and DPA.

Access control and authentication

Multi-factor authentication required for administrative access.
Centralized logging of administrative access and key actions.

Network and application security

Network segmentation, firewalling, and Web Application Firewall (WAF) for public endpoints.
Vulnerability scanning of production systems and software dependencies.
Periodic third-party penetration testing of high-risk components.
Secure software development lifecycle including code review and CI/CD controls.

AI Builder safeguards

Prompts and outputs are routed only to the named AI subprocessors (OpenAI, Anthropic, Google) listed at choicely.com/subprocessors.
We do not use customer prompts, outputs, or other customer content to train general-purpose models, and we contractually request that AI subprocessors apply equivalent restrictions.
AI Builder telemetry is retained in pseudonymized form for a limited period for safety, abuse prevention, and quality monitoring.
Customers are advised not to submit secrets, payment card data, or special categories of personal data through prompts unless agreed in writing.

People and process

All personnel are bound by written confidentiality obligations.
Annual security and data-protection awareness training.
Documented onboarding and offboarding procedures, including timely access revocation.
Background checks where permitted by law and proportionate to the role.

Resilience and incident response

Regular automated backups with documented restore procedures and periodic restore testing.
Documented personal-data-breach response procedures with defined roles and escalation paths.
Notification to affected customers without undue delay, as set out in the DPA.

Compliance and contracts

GDPR (EU/EEA), UK GDPR, and Swiss FADP supported through our online DPA, which includes the EU SCCs (2021/914), the UK IDTA, and Swiss adaptations.
U.S. state privacy laws (including CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA) addressed in the Privacy Policy.
Subprocessor list maintained at choicely.com/subprocessors with email-notification subscription and a 30-day change-notice window.
Bilateral DPA available for enterprise customers on request.

Customer responsibilities

Use strong passwords and enable MFA where available.
Manage workspace permissions and revoke access when team members leave.
Provide your own end-user terms and privacy notices for the apps and websites you publish, including disclosures about AI features.
Comply with applicable app-store policies (Apple App Store, Google Play) and applicable laws.
Avoid submitting secrets, payment card data, or sensitive personal data through AI Builder prompts.

Contact and resources

Security and privacy: [email protected] • [email protected]

DPA: https://www.choicely.com/dpa • Subprocessors: https://www.choicely.com/subprocessors