strategicOS POLICY

Last update: 11 August 2025

​

A-QUANTO AG (following AQUANTO) is committed to the protection, confidentiality and privacy of the information and data entrusted to us, and we take appropriate measures to ensure that we comply with the applicable data protection regulations.

​

Our clients are responsible for complying with any regulations or laws applicable to them. This includes notifying, disclosing, and/or obtaining consent from individuals prior to transferring personal data to AQUANTO for processing.

​

We regularly review and update this policy and our measures to adapt to changing or new requirements. We publish the latest version on our website and recommend you read it periodically.

​

Our products and services

With AQUANTO, our clients gain insights into their business and can make better decisions and maximise their impact and progress towards their goals. Our clients can use AQUANTO tools to upload and structure information, access online frameworks, and use machine learning technology to validate decisions and concepts. AQUANTO and its network experts can access this information with our client's consent to provide insights and guidance as part of our offering and contractual obligations.

 

Collection, use and disclosure of personal data

We process data according to the instructions given to us by our clients. We instruct our clients to avoid using personal data in connection with our services unless explicitly necessary. We have no direct control over the personal data we process on behalf of our clients, and it is not our responsibility, as we act as data processors. Our clients lead compliance with all applicable laws and regulations when transferring or uploading information.

 

We do not share data with third parties without the express consent of our customers and never sell our clients' personal data to third parties.

 

Integrations with third parties

Our clients can implement interfaces to third parties on our platform. These interfaces or integrations simplify and consolidate data between clients and AQUANTO. We have no control over these integrations and interfaces implemented by our clients.

 

It is up to our clients, as data controllers, to ensure that the connection of third-party data processing is carried out in accordance with the legal requirements. We are not responsible for the collection, use, monitoring, storage, or disclosure of personal data by these third parties, and we encourage you to read their privacy policies and ask questions about their privacy practices as they relate to you.

 

Security and confidentiality of personal data

We use various security technologies and procedures to ensure the security and confidentiality of personal data. These procedures are designed to protect personal data from unauthorised access, use, damage or disclosure. We protect personal data using encryption, security certificates or strong multi-level authentication procedures. Additionally, appropriate physical, technical and organisational measures protect all personal data.

 

We cannot accept responsibility for external websites (including those of our clients), third-party content, or links to this information on our website, products, or services.

 

Storage of personal data

We retain personal data for as long as necessary for the purposes for which it was collected. We may also retain non-sensitive personal data beyond this period to stay in touch with you and fulfil products, services, or other contractual obligations. We generally delete personal data when we no longer need it and any statutory retention period has expired.

 

Third-party data storage and processing

Our strategicOS leverages several third-party technologies (subprocessors) to provide a seamless and secure experience. The primary environments for our strategicOS are Notion and Miro, which host and store client data on Amazon Web Services (AWS) infrastructure. In addition, we use services like Cloudflare (for secure content delivery and networking), Sentry (for error monitoring), Google Workspace, and Miro (for interactive collaboration) as integrated subprocessors to support the strategicOS's functionality. We ensure all these providers are contractually bound to strict data protection terms and meet high security standards. For example, Miro is employed to enable real-time collaborative whiteboard sessions within our strategicOS offerings. Miro maintains strong security controls: data in Miro is encrypted during transit and at rest, and access to boards is governed by role-based permissions. Miro is also compliant with GDPR and other privacy regulations, and it does not disclose user data to third parties for its own purposes. All subprocessors we engage (including Notion and Miro) undergo due diligence and are subject to ongoing monitoring to ensure they uphold the confidentiality and integrity of our clients' data. We do not share any platform data with third parties except as needed to operate the service and as authorised by our clients. (Policy Notion) (Security & Privacy Notion) (DPA Notion) (Privacy Miro) (Security Miro) (GDPR Miro)

​

Use of AI Services (OpenAI and Anthropic)

To enhance our strategicOS's capabilities, we integrate generative AI services from OpenAI and Anthropic. These AI tools (such as OpenAI's GPT models and Anthropic's Claude) are used to provide features like research, analytics, intelligent recommendations and content validation within the strategicOS. Any data sent to these AI models is processed solely for the purpose of generating the requested output and is not used to train the providers' models. In practice, when a client uses an AI-powered feature, the relevant information (e.g. a text prompt or query) is transmitted securely to the AI provider's API, and a response is returned. OpenAI and Anthropic do not retain or use our prompts or outputs to improve their general AI beyond this temporary processing. By default, OpenAI may retain API request data for a short period (up to 30 days) to monitor for abuse and ensure service quality, after which it is automatically deleted from their systems. Anthropic similarly implements limited retention for API interactions and does not store conversation content long-term by default. Importantly, we offer a Zero-Data-Retention option upon client request: if enabled, both OpenAI and Anthropic will not retain any of your data at all after generating the AI output. In this mode, prompts and responses are immediately erased from the AI providers' servers once the interaction is complete. Whether by default or in zero-retention mode, your data is never used to train OpenAI's or Anthropic's models. We also remove or anonymise personal data beyond what is necessary in these AI requests. All communications with the AI services are encrypted in transit to protect confidentiality. In summary, when using our platform's AI features, you can do so with the confidence that we have applied all measures possible to ensure your data remains private and under strict control, and that no AI provider will use it for any purpose other than delivering the service to you. (Policy Anthropic) (API Anthropic) (Privacy Policy OpenAI) (Enterprise Privacy OpenAI) (API OpenAI)

​

Continued GDPR Compliance and Data Protection

We regularly review and update our platform's data protection measures to align with evolving regulations and best practices. Notion, Miro, OpenAI, Anthropic, and our other subprocessors each affirm strong commitments to privacy, including adherence to the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection. Notion, for example, offers a comprehensive DPA and utilises Standard Contractual Clauses to lawfully transfer data internationally, and it employs encryption and access controls to safeguard all client content. Similarly, Miro's infrastructure is SOC 2 Type II audited and runs on secure AWS data centres, and Anthropic and OpenAI maintain SOC 2 compliance and industry-leading security protocols for their AI services. All personal data processed on our platforms remains under our control as the data processor, and we act only on our clients' instructions when handling that data. We do not use or disclose any client data for our own purposes or to unauthorised parties. In the event that a client chooses to integrate additional third-party tools with our strategicOS, we will work with them to ensure those tools meet necessary privacy requirements, though the client as data controller bears responsibility for such integrations. Our commitment is to full transparency and strict data confidentiality at every stage of processing. If you have any questions about our platform's privacy protections, including the use of AI tools, Miro, Notion, or other subprocessors, please contact our Data Protection Officer as listed in our Privacy Policy. We will continue to update this strategicOS Policy to reflect any changes in our data processing or the addition of new subcontractors, so you remain informed about how your data is handled.

​

Data protection measures

Notion implements several measures to protect the confidentiality of data:

• Encryption: Data is encrypted both at rest and in transit to prevent unauthorised access.

• Access controls: Strict access controls are in place to ensure that only authorised personnel can access personal data.

• Monitoring and auditing: Continuous monitoring and regular security audits are conducted to identify and address potential vulnerabilities.

• Incident response: Notion has a detailed incident response plan to manage and mitigate any data breaches promptly.​ (Notion)​​ (Notion)​

 

Subcontractors and standards

Subcontractors (or subprocessors) must adhere to the same data protection standards. They are carefully vetted for best-in-class security practices. Notion provides a list of these subprocessors and allows customers to receive notifications about new subprocessors, allowing for objections if necessary. This ensures that all third parties involved in processing data maintain the high standards set by Notion​ (Notion)​.

​

You can review Notion's Privacy Policy and Data Processing Addendum for more detailed information.

​

Contact the data protection officer 

If you have any questions about this policy or our data protection practices, please use the contact information on our Privacy Policy to get in touch.