Compliance, ready to review
Built for EU GDPR and UK GDPR. Amaigo is the data processor; you are the controller. Everything your DPO needs to sign off, in one place, with no gated portal.
Personal data is hosted in the EU (application and database in Amsterdam, site in Frankfurt). Free-text chat is redacted before AI processing, and the AI provider is contractually barred from training on it.
Legal agreements
The contractual stack. The DPA applies automatically with every plan; a signable client-specific copy comes with onboarding.
Terms of Service
v2.0Commercial terms, incorporating the DPA, AUP, SLA and AI Transparency Notice.
Updated 2026-07-08
Data Processing Agreement
v2.0Article 28 controller-processor terms with processing, security and UK Addendum annexes.
Updated 2026-07-08
Acceptable Use Policy
v1.0Prohibited uses, including AI-specific rules that keep deployments out of high-risk territory.
Updated 2026-07-08
Service Level Agreement
v1.099.5% monthly availability target, exclusions, credits and claim procedure.
Updated 2026-07-08
Privacy
How personal data is handled across the Amaigo site and every Whistle deployment.
Privacy Policy
v2.0Lawful bases, the controller-processor split, transfers, retention and your rights.
Updated 2026-07-08
Cookie Notice
v2.0No tracking cookies; every widget storage key listed with purpose and lifetime.
Updated 2026-07-08
Consent Notice
v2.0The exact consent wording visitors see in the widget, tier by tier.
Updated 2026-07-08
Data Subject Requests
v2.0How data-subject requests are routed, verified and fulfilled.
Updated 2026-07-08
Data Retention Policy
v2.0Retention periods per record type, enforced by automated purge.
Updated 2026-07-08
AI and transparency
Built for EU AI Act Article 50 and for law firms' confidentiality duties.
AI Transparency Notice
v1.0What the AI does and does not do, AI disclosure, provider terms, and privilege positioning for law firms.
Updated 2026-07-08
Sub-processors
v2.0Every sub-processor with location, data involved and transfer mechanism. AI providers flagged.
Updated 2026-07-08
Subprocessor Change Notification Policy
v1.030 days' advance notice of sub-processor changes, with an objection right.
Updated 2026-07-08
Security
EU-hosted, privacy by design, and pre-answered due diligence for your vendor review.
Security Overview
v2.0Hosting map, encryption, application security and operations, on one page.
Updated 2026-07-08
Security Questionnaire
v1.0Around 40 pre-answered questions mapped to legal-ethics vendor vetting.
Updated 2026-07-08
Breach Response
v2.0Incident runbook with a 48-hour controller notification commitment.
Updated 2026-07-08
For your DPO
Templates your firm can complete for its own records, pre-filled with Whistle's details.
DPIA Template
v2.0DPIA template with AI-specific risks and mitigations pre-filled.
Updated 2026-07-08
Transfer Risk Assessment (TRA)
v1.0Transfer risk assessment for the AI sub-processor, six-step EDPB structure.
Updated 2026-07-08
Records of Processing (ROPA)
v2.0Article 30 records template, controller and processor rows.
Updated 2026-07-08
Client Onboarding SOP
v1.0Exactly how new clients are onboarded, compliance step by step.
Updated 2026-07-08
Stay informed of changes
Every document is versioned; the change log is the canonical record, and clients get 30 days' advance email notice of sub-processor changes.
Subscribe to sub-processor updatesCertification roadmap
We do not yet hold SOC 2, ISO 27001 or Cyber Essentials; they are on the roadmap as the platform matures. In the meantime the security questionnaire pre-answers the due-diligence questions those reports cover. Every document here prints cleanly to PDF for your records.