Data Sovereignty & Security

Last updated: 17 June 2026

This page explains where your data is stored, how it is protected, and how we keep each customer’s data separate. It complements our Privacy Policy and Terms of Service.

Where your data is stored

All customer personal data — your leads (names, emails, phone numbers), conversations, and message content — is stored at rest in the United Kingdom, in our managed PostgreSQL database hosted in the AWS Europe (London) region (eu-west-2). Automated backups are stored in the same UK region.

Our application servers run in London. We do not store customer personal data outside the UK.

Encryption

  • In transit: all connections use TLS.
  • At rest: the database and its backups are encrypted at rest (AES-256) at the storage layer.
  • Credentials: OAuth tokens for your connected Meta, Google, and WhatsApp accounts are additionally encrypted at the application layer using AES-256-GCM before they are written to the database, so they are never stored in plain text.

Tenant isolation

MYÜTIK is a multi-tenant service running on shared infrastructure. Every record belongs to exactly one customer account, and every request is authenticated and scoped to the account it belongs to, so one customer can never read or write another customer’s leads, conversations, or settings. Administrative access is restricted to authorised staff and is verified against server-side roles on every request.

How we use your data — no cross-customer training

Your data is used only to operate the service for you. Your leads, conversations, and brand intelligence are never pooled with other customers’ data, and are never used to train or improve models or agents that serve other customers. All optimisation and “learning” the platform performs is isolated to your own account.

Sub-processors & AI processing

To generate agent replies, conversation content is processed by our AI sub-processors. This is processing, not storage — they do not retain your data as a system of record, and under their terms they do not use API content to train their models:

  • Anthropic (Claude) — generates agent responses.
  • Together AI — generates text embeddings used for retrieval.

Where these providers process data outside the UK/EU, that transfer is governed by Standard Contractual Clauses. A current list of sub-processors is maintained in our Privacy Policy.

Retention & deletion

We retain your data for as long as your account is active. You can request export or deletion of your data at any time, and we will delete it as described on our Data Deletion page. When you disconnect a platform integration, we stop processing data from that integration.

Data Processing Agreement

For business customers we offer a Data Processing Agreement (DPA), including a commitment to notify you of a personal-data breach without undue delay. Contact us to put one in place.

Contact

Questions about security or data handling? Email support@myutik.com.