Back to Trust & Security

Claims register

Version: v1.0

Last updated: 13.07.2026

Next review: 01.10.2026

This document is Lyyli's official claims register. It defines the scope of security, privacy, and architecture-related claims and their possible technical exceptions. The register gives IT teams and legal reviewers a transparent, detailed view of the product's current state and contractual boundaries.

Primary application data for Lyyli customer workspaces is stored and processed in the EU region.

Scope: Workspace storage, Supabase database, and primary application database.

Exceptions: AI processing, user authentication metadata, email delivery, system analytics, and certain subprocessors may process data outside the EU/EEA as documented in the vendor register and DPA.

Selected AI routes use Zero Data Retention (ZDR) settings.

Scope: AI routes via the OpenRouter gateway and direct AI partners.

Exceptions: Zero Data Retention settings do not automatically cover Lyyli's own workspace storage, real-time web search, image generation, meeting recordings, or abuse monitoring logs. Detailed route-specific retention, training, and exception policies are documented in our separate AI model register.

Customer content is not used to train AI models.

Scope: AI integrations and AI processing routes.

Exceptions: Providers' possible legal exceptions and abuse monitoring practices depend on the customer's selected route and that provider's own contractual terms.

Data is protected in transit and at rest in line with industry standards.

Scope: Application layer and infrastructure layer.

Exceptions: The system does not use end-to-end encryption. The Lyyli application and infrastructure services we use process plaintext data to deliver the service and enable workflows.

Customer content deleted from the active system is removed without undue delay.

Scope: Lifecycle of customer-produced content and manual deletion.

Exceptions: Security logs, audit trails, and legal exceptions are retained on a separate, protected schedule. Copies of deleted data may remain in automated backups for a limited period before being overwritten.

Information security practices (ISMS) are developed in line with the ISO 27001 framework.

Scope: Organisational security governance and controls.

Exceptions: Lyyli does not currently hold formal ISO 27001 certification. Certification under the standard is a future development goal and does not describe the system's current state.

Our claims register describes openly and precisely what our security commitments mean in practice, their technical scope, and their identified exceptions.