Privacy Notice

Last updated: March 2026

This Privacy Notice explains how DueDiligence.one handles personal data in connection with the sanction.duediligence.one prototype, related websites, demo environments, and communications.

DueDiligence.one is currently a research and technology-validation prototype. The operating company is in the process of registration. This is a prototype-stage privacy notice applicable to demonstration, pilot, and evaluation contexts only.

1. Who we are

DueDiligence.one
Company in formation · Chișinău, Moldova
Contact: hello@duediligence.one

For website operations, demo requests, and investor/grant/jury communications, DueDiligence.one acts as data controller.

For future client pilot processing, DueDiligence.one is designed to act as data processor, handling data only on documented customer instructions consistent with Article 28 GDPR.

2. What data we may process

Depending on the context, we may process:

Identity and contact data

Name, email address, organisation, role, phone number.

Account and access data

User identifiers, session data, authentication metadata.

Uploaded materials (prototype/pilot use)

Documents, structured forms, PDFs, ownership records, cap tables, and similar files submitted for demonstration or evaluation.

Screening-related data

Entity names, aliases, company identifiers, beneficial ownership chains, sanctions match data, risk signals, and audit records generated during prototype screening workflows.

Technical data

IP address, browser and device metadata, access logs, timestamps, and security events.

The prototype may also process data obtained from official public sources including sanctions lists, public registers, and machine-readable public datasets, strictly within the terms of those sources.

3. Why we process this data

We process personal data to:

  • operate the website and respond to enquiries
  • schedule demos, pilot calls, investor discussions, and grant conversations
  • operate the prototype screening and analysis workflows
  • maintain security and technical functionality
  • keep logs and audit records proportionate to the prototype context
  • prepare for future commercial and contractual onboarding

4. Legal bases

We rely on:

  • Legitimate interests — for website operation, security, and evaluation communications
  • Pre-contractual steps — where a demo, pilot, or commercial discussion is requested
  • Consent — where specifically required for optional activities

Moldova's current framework is Law No. 133/2011. The new Law No. 195/2024 enters into force on 23 August 2026, aligning Moldova's data protection standards with GDPR.

5. AI services and cloud infrastructure

The prototype uses AI and cloud services that may process submitted data. These may include offerings from Anthropic, Google, AWS, xAI, and others, depending on the deployment environment.

Where applicable:

  • Anthropic's terms state it may not train models on customer content from its commercial services
  • Google Cloud offers configurable zero-data-retention options for Vertex AI subject to service-specific settings
  • AWS Bedrock processes data within the configured region

Any such use is subject to the relevant provider's own terms and data processing documentation. Our primary infrastructure posture targets AWS eu-central-1 (Frankfurt) with EU data residency.

6. Retention

At prototype stage, our approach is minimal and proportionate:

  • Session and workspace data: short-lived, with TTL-based deletion
  • Contact and communication data: retained only as long as needed
  • Audit logs: retained for security and accountability purposes
  • Screening outputs: not retained beyond the demonstration session where technically implemented

7. Security

We apply technical and organisational measures including:

  • Role-based access control
  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Per-environment key management (AWS KMS where applicable)
  • Audit logging and access monitoring
  • RFC 3161 timestamped report records

8. No decision-use

Any output generated by the prototype must not be used for legal, compliance, investment, onboarding, lending, procurement, or any other operational decision without independent human review and, where relevant, qualified legal advice.

9. Your rights

Where applicable, you have rights of access, rectification, erasure, restriction, portability, and objection.

Requests: hello@duediligence.one

Supervisory authorities:

  • Romania: ANSPDCP
  • Moldova: CNPDCP

10. Updates

This Notice will be updated as the company progresses from prototype to registered operating entity and from pilot to production.

Back to Disclaimer