Designed for regulated industries
ISO 27001, GDPR by design, AI Act compliant, EU data hosting. Modulario meets the strictest requirements of banks, insurers, healthcare, and public administration.
Security at every level
ISO 27001 certification
Modulario is operated by AMCEF s.r.o., certified to ISO/IEC 27001 (information security management) and ISO 9001 (quality management). Certificates available on request.
EU data hosting
Your data is hosted in certified EU data centers with guaranteed data residency. No data leaves the EU — relevant for regulated sectors, banks, healthcare, and public administration.
GDPR by design
Modulario is designed in line with GDPR from the ground up. Data Processing Agreement (DPA), data subject rights (access, rectification, erasure, portability), processing records, DPIA — all automated in the system.
AI Act compliant
Modulario is AI Act compliant by design (EU 2024/1689). Transparency of AI systems, human oversight, AI decision audit log, prohibition of forbidden practices. For AI-heavy use cases in regulated industries.
Granular permissions (OpenFGA)
Modulario uses a Google Zanzibar-style ReBAC model (OpenFGA) — the most granular permission system in the low-code category. Roles, groups, policies at the module / record / field / action level.
SSO & SCIM
Single Sign-On via SAML 2.0 and OIDC, automatic user provisioning via SCIM 2.0. Integration with Azure AD, Okta, Google Workspace, ADFS.
Audit log
Complete record of who did what, when, and from where in the system. Tamper-proof, exportable for auditors. Compliant with SOX, SOC 2, banking regulators.
Backups & Disaster Recovery
Daily incremental backups, weekly full backups. Geo-redundant storage in two EU locations. RPO 24h, RTO 4h, SLA-backed.
Encryption in transit and at rest
TLS 1.3 for communication, AES-256 for storage. Customer-managed encryption keys (CMEK) on request.
Available on request
- ISO 27001 certificate (AMCEF)
- ISO 9001 certificate (AMCEF)
- Data Processing Agreement (DPA) — SK/EN
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
- Security Whitepaper
- Penetration test summary (under NDA)
- Due diligence questionnaire (CAIQ/SIG Lite)
Frequently asked questions
Can I get a Data Processing Agreement (DPA) to sign?
Yes — a standard DPA is available for download to all customers. For Enterprise customers we also offer customized DPAs tailored to your internal requirements. Contact us for the latest version.
Where is our data physically stored?
Data is stored in certified data centers within the EU (multiple locations — e.g., Germany, Italy) with geo-redundancy. Data never leaves the EU. For clients in regulated industries, on-premise deployment at the client site is also available.
Who owns the data in Modulario?
Your data remains yours — AMCEF is only a processor, not a controller. You can export your data at any time (CSV, JSON, SQL dump). At contract termination you have a 30-day window to export, after which the data is irreversibly deleted per GDPR Art. 17.
How often do you run penetration tests?
External penetration tests are performed at least once a year by an independent security firm. Internal code reviews and SAST/DAST scanning are part of every release. We provide a pentest summary report under NDA.
Can we have a dedicated cluster / self-host?
Yes. Enterprise customers can have a dedicated cluster (single tenant per cluster) in our cloud infrastructure, or an on-premise self-hosted deployment. We also technically support hybrid scenarios (some in cloud, some on-prem).
What is your incident response process?
We classify security incidents per ISO 27035 (P1–P4). For P1 incidents (data breach), we are required to notify the customer within 24 hours and the supervisory authority within 72 hours per GDPR Art. 33. Details are in the SLA documentation.
Do you have SOC 2 certification?
SOC 2 Type II is in progress (planned for 2026 Q3). We currently hold ISO 27001 and ISO 9001, which cover most of the same control areas. For US enterprise customers, we offer a questionnaire at the same level of detail.
How is AI usage handled with respect to GDPR and the AI Act?
Modulario AI features: (1) the LLM provider is the customer's choice (OpenAI, Anthropic, Azure, self-hosted Llama/Mistral), (2) data is not used to train models, (3) human-in-the-loop for critical decisions, (4) AI audit log, (5) the option to fully disable AI features per tenant.
Questions about security or compliance?
Our Security & Compliance team replies within 24 hours on business days.
Book a consultation