Data Protection and Security

Data protection is not a compliance checkbox that gets ticked off at the end of a project. It is a design principle that influences architecture, technology choices, and development processes from the very first line of code.

At Parlant GmbH, we work with clients who handle personal data, health data, financial data, and trade secrets. This requires not only technical competence, but also a deep understanding of the regulatory landscape. We operate at the intersection of both.

The Regulatory Framework

Our clients are primarily subject to European data protection law. A solid understanding of the applicable regulations is the prerequisite for every architecture decision we make:

GDPR (General Data Protection Regulation) — The central regulation for personal data in the European Union. We design systems with privacy by design and privacy by default — data minimisation, purpose limitation, and technical safeguards are built in, not bolted on.

HIPAA (Health Insurance Portability and Accountability Act) — For clients in the healthcare sector, particularly those with US connections, we are familiar with the specific requirements of HIPAA regarding the protection of health data.

US CLOUD Act — A contentious regulation that gives US authorities access to data stored by US companies — regardless of the physical location of the data. This risk is relevant for any company using services from US hyperscalers. We advise our clients on how to evaluate this risk and, where necessary, recommend European alternatives or on-premise solutions.

How We Evaluate Providers

Not every cloud service is equally suitable for every type of data. We evaluate providers based on clear criteria:

• Data residency — Where is the data physically stored? Which jurisdictions apply?
• Encryption — What encryption mechanisms does the provider offer? Who controls the keys?
• Access control — Who has access to the data — including the provider’s own staff?
• Audit trail — Can all accesses be fully traced?
• Certifications — ISO 27001, SOC 2, C5 — which certifications does the provider hold, and what do they actually cover?

This evaluation is not a one-off exercise but an ongoing process. Regulatory requirements change, providers adjust their terms, and new alternatives emerge. We keep our clients informed.

Data Protection in Our Development Process

Data protection is embedded into our development process, not added afterwards:

1. Architectural review — Every new feature is assessed in terms of which data is processed, where it is stored, and who has access to it.
2. Data minimisation — We collect only the data that is actually needed. Fields that are “nice to have” do not get built.
3. Encryption by default — Sensitive data is encrypted at every layer — in transit, at rest, and where applicable at the application level. Details are described in our encryption article.
4. Access control — We implement role-based access control (RBAC) with the principle of least privilege. Every access is logged.
5. Documentation — Data processing activities, security measures, and architecture decisions are documented and handed over to the client’s team.

For Whom Is This Relevant?

Every company that processes personal data — and that includes nearly every company — needs a data protection strategy. Our expertise is particularly in demand in these areas:

• Public sector — Formfix processes application data for public-sector authorities. The highest standards of data protection apply here.
• Healthcare — Health data is among the most sensitive categories. We build systems that meet these requirements.
• E-Commerce and Retail — Customer data, payment data, transaction histories — all regulated and all requiring protection.

We navigate the right solution for every situation and data constellation — whether personal data, health data, or trade secrets. The combination of regulatory understanding and technical depth enables us to find the right architecture quickly, efficiently, and above all securely.