Autm

1. Introduction

This Data Retention Policy explains how Autm Ltd (“Autm”, “we”, “us”, “our”) retains, reviews, and securely deletes personal data processed through the Autm platform.

This policy has been developed in accordance with:

• UK General Data Protection Regulation (UK GDPR)

• EU General Data Protection Regulation (EU GDPR)

• Data Protection Act 2018
  
  

Autm operates an AI-enabled operational intelligence platform. Data retention is governed by principles of data minimisation, storage limitation, purpose limitation, and privacy by design.

2. Scope

This policy applies to all personal data processed:

• Through the Autm platform

• In connection with user accounts

• Within customer workspaces

• Through AI-assisted functionality

• In operational logging and monitoring systems
  
  

This policy applies to employees, contractors, systems, and third-party processors acting on Autm’s behalf.

3. Roles and Responsibilities

3.1 Data Controller and Data Processor Status

Autm operates in different capacities depending on the context of processing.

Autm as Data Controller

Autm acts as Data Controller in relation to:

• User account administration

• Platform security and monitoring

• Subscription billing and financial administration

• Legal and regulatory compliance

Autm as Data Processor

Autm acts as Data Processor for:

• Workspace operational data

• AI interactions conducted on behalf of customer organisations

• Integration data processed within customer workflows

Customer organisations remain Data Controllers for data processed within their workspaces.

3.2 Data Protection Contact

All data protection queries, including rights requests, may be directed to:

Email: support@autm.ai
Registered Address: Little Wood House, Linley, Bishop’s Castle, Shropshire SY95HP

Autm will appoint or designate a responsible person for data protection oversight in accordance with UK GDPR requirements.

4. Lawful Basis for Processing

Autm processes personal data under the following lawful bases:

Contractual Necessity (Article 6(1)(b))

• Providing access to the Autm platform

• Executing AI-driven workflows

• Operating integrations
  
  

Legitimate Interests (Article 6(1)(f))

• Platform security

• System performance monitoring

• Service improvement

• Fraud prevention
  
  

Legal Obligation (Article 6(1)(c))

• Financial record retention

• Tax compliance

• Regulatory obligations
  
  

Consent (Article 6(1)(a)), where applicable

• Optional features requiring explicit consent

Where special category data is processed, additional safeguards and lawful bases under Article 9 GDPR apply.

5. Sub-Processors and Third-Party Services 

Autm uses carefully selected third-party service providers to deliver secure and reliable services. These providers process data under binding contractual agreements incorporating GDPR-compliant safeguards.

Current sub-processors include:

Stripe

• Payment processing and subscription billing

• Stripe acts as an independent payment processor

• Autm does not store full payment card numbers or sensitive payment credentials
  
  

Microsoft Azure

• Cloud infrastructure hosting

• Application monitoring

• Secure storage services

• Azure Key Vault for cryptographic key management
  
  

OpenAI

• Large Language Model (LLM) inference services

• AI text generation and reasoning support
  
  

OpenAI processes data strictly for the purpose of providing inference services and does not use customer data to train public models where data processing agreements specify such restrictions.

Autm may update or replace AI model providers in the future. Any such provider will be subject to equivalent data protection safeguards and contractual controls.

Autm maintains a current sub-processor list available upon request.

Autm does not use third-party identity management providers. User authentication and identity management are handled internally using ASP.NET Core Identity (.NET Identity) within Autm’s secured infrastructure.

Where sub-processors operate outside the UK or EEA, appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions are implemented.

6.1 User Account Data

Examples:

• Name

• Email address

• Username

• Role and workspace association

• Authentication identifiers

Authentication and access control are managed internally using ASP.NET Core Identity.

Passwords are:

• Hashed using industry-standard cryptographic algorithms

• Never stored in plaintext

• Protected using salted hashing
  
  

Retention:

• Retained for the duration of the active account

• Deleted within 30 days of confirmed account closure unless legal obligations require otherwise

Justification:

Required to fulfil contractual obligations, maintain platform security, and enforce role-based access controls.

6.2 Workspace Operational Data

Examples:

• Workflows

• Task records

• Integration metadata

• Workspace configurations
  
  

Retention:

• Maintained during an active workspace lifecycle

• Permanently deleted within 30 days of confirmed workspace deletion
  
  

Justification:

Necessary for operational continuity and service provision.

6.3 AI Interaction Data

AI interaction data (including prompts and responses) may be processed through third-party LLM providers such as OpenAI.

Where feasible:

• Personal identifiers are tokenised prior to transmission to AI providers.

• Only data necessary for inference is transmitted.

• AI providers process data solely for inference purposes under contractual restrictions.
  
  

Retention:

• AI interaction data stored within Autm systems is retained for 90 days by default (configurable by workspace administrator).

• Data processed by third-party AI providers is subject to their retention policies as governed by contractual agreements.
  
  

6.4 Long-Term Memory Data

Examples:

• Persisted operational context

• Organisational knowledge
  
  

Retention:

• Retained until user removal or automated review after 12 months
  
  

Memory entries include metadata identifying:

• Owner

• Scope

• Sensitivity classification

• Retention review date
  
  

6.5 Personal Identifiers (Tokenised Data)

Personal identifiers such as names, emails, and phone numbers may be tokenised before AI processing.

Retention:

• Stored in encrypted mapping tables

• Deleted upon conversation deletion, workspace deletion, or data subject erasure request

Encryption keys are securely managed through Microsoft Azure Key Vault with strict access controls and auditing.

6.6 Payment and Financial Records

Payment information is processed by Stripe. Autm does not store full payment card numbers.

Financial records retained by Autm:

• Transaction summaries

• Invoices

Retention:

• Retained for 6 years in accordance with UK tax law
  
  

6.7 System Logs and Monitoring Data

Examples:

• Error logs

• Security logs

• Performance telemetry
  
  

Retention:

• 30 to 90 days, depending on operational necessity

Logs are designed to minimise personal data inclusion wherever possible.

7. Data Deletion and Erasure

Deletion is implemented in two stages:

Stage 1 – Logical Deletion

• Data marked as deleted

• Immediately inaccessible to users
  
  

Stage 2 – Permanent Deletion

• Data is permanently removed within 30 days

• Encrypted identifiers purged from secure mapping tables
  
  

Erasure requests trigger removal across:

• AI interaction data

• Memory systems

• Associated identifiers
  
  

8. International Data Transfers

Some sub-processors, including AI model providers such as OpenAI, may process data outside the United Kingdom or the European Economic Area.

Where international transfers occur, Autm ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)

• UK International Data Transfer Addendum

• Adequacy decisions where applicable

• Additional technical safeguards, such as encryption and tokenisation
  
  

Autm implements data minimisation and redaction controls prior to external AI processing where feasible.

9. Security Measures

Autm applies technical and organisational measures, including:

• Encryption in transit (TLS)

• Encryption at rest

• Cryptographic key management via Microsoft Azure Key Vault

• Role-based access control

• Authentication and identity management using ASP.NET Core Identity

• Secure password hashing and credential protection

• Secure payment processing via Stripe

• Monitoring and audit logging

• Secure development lifecycle practices
  
  

Access to personal data is restricted to authorised personnel on a need-to-know basis.

10. Automated Processing and AI Functionality 

Autm provides AI-assisted features that may involve automated processing through third-party LLM providers.

Safeguards include:

• Human oversight capabilities

• Confirmation prompts for sensitive actions

• Role-based restrictions

• Audit logging of AI-assisted decisions

• Tokenisation of personal identifiers where appropriate
  
  

Autm does not permit customer data to be used for training public AI models unless explicitly agreed in writing.

11. Data Subject Rights

Individuals have the right to:

• Access their personal data

• Request rectification

• Request erasure

• Restrict processing

• Object to processing

• Data portability (where applicable)
  
  

Individuals also have the right to lodge a complaint with:

• The UK Information Commissioner’s Office (ICO)

• The relevant EU supervisory authority
  
  

12. Policy Review

This policy is reviewed annually or following material changes in:

• Platform architecture

• Regulatory framework

• Sub-processor arrangements