Security: built for controlled and traceable data handling
Data imports involve some of your most sensitive assets. Customer records, financial data, operational feeds — these are not just files. They are business-critical information that passes through your systems multiple times a day.
WeTransform is built with security as a foundation, not a feature. Every step of the import process — ingestion, mapping, transformation, output — is designed to keep data controlled, traceable, and protected.
EU-hosted, Hetzner infrastructure
All data processed by WeTransform is hosted exclusively in the European Union, on Hetzner infrastructure. There is no data transfer outside the EU, no multi-region routing to non-EU zones, and no dependency on US-based cloud providers.
For companies operating under GDPR obligations, this matters. Your data stays where your compliance framework expects it to stay.
Encrypted in transit and at rest
All data transmitted to and from WeTransform is encrypted using TLS. Data stored on our infrastructure is encrypted at rest. This applies to every file, every payload, and every configuration — without exception.
There is no unencrypted path into or out of WeTransform.
Your data, deleted on your schedule
By default, files and processed data are deleted after 30 days. This is not a fixed policy you have to accept. You control the retention window directly from your account settings — you can shorten it to match your internal data handling policies, or extend it if your workflow requires it.
Data that has reached its retention limit is deleted automatically, without manual intervention required on your side.
Role-based access, environment isolation
WeTransform enforces role-based access control across your organization. Users only see and can act on what their role permits. Mappings, configurations, and data flows are separated by environment, so staging and production data never mix.
Access to incoming files, transformation rules, and audit logs is controlled at the organization level, with full visibility on who has access to what.
Full audit trail on every import
Every file received, every transformation applied, and every output generated is logged. WeTransform provides a complete audit trail so you can answer the three questions that matter in any data incident: what was processed, how it was transformed, and when and by whom.
This level of traceability is not just useful for internal reviews — it is often required for enterprise procurement, security questionnaires, and regulatory audits.
GDPR compliant. ISO 27001 in progress.
WeTransform is fully GDPR compliant. Data is processed and stored in the EU, retention is configurable to match your obligations, and data subjects' rights are respected throughout the import lifecycle.
We are currently working toward ISO 27001 certification. This process formalizes the security practices already in place in our infrastructure and operations, and reflects our commitment to meeting enterprise security standards as we scale.
Security that works in practice, not just on paper
The most common security risks in data imports are not sophisticated attacks. They are the workarounds teams adopt when they do not have a proper system: files sent by email, ad hoc scripts with no access control, manual transfers between environments, data sitting in shared drives waiting to be processed.
WeTransform eliminates these workarounds by providing a structured import process with controlled ingestion, defined transformation rules, and clean audit trails. Security is not something you add on top of the process — it is the process.
Frequently asked questions
All data is hosted exclusively in the European Union, on Hetzner infrastructure. No data is transferred outside the EU.
By default, data is deleted after 30 days. You can configure this retention window directly in your account settings to match your internal policies.
Yes. WeTransform is fully GDPR compliant. Data is processed and stored in the EU, and retention is configurable.
Yes. Data is encrypted in transit over HTTPS/TLS, and encrypted at rest at two levels. The database itself uses AES-256 table-level encryption natively. On top of that, sensitive fields (personal data, emails, billing info, integration secrets, 2FA credentials) are encrypted at the application layer with AES-256-CBC before being written, so the database never sees them in plaintext. For fields that need to be searchable (like emails), we use blind indexes based on HMAC-SHA256 to support exact-match queries without decryption.
We are currently working toward ISO 27001 certification, which formalizes our existing security practices. We are happy to provide a security questionnaire or documentation for enterprise procurement processes.
Ready to handle imports securely?
Book a demo and we will walk you through our security architecture in detail.