Where Your Data Lives
Messages, contacts and campaigns are stored on dedicated hardware in a German data centre, not on shared hosting. Backups and uploaded files stay in the EU too.
| What | Where it is stored |
|---|---|
| Messages, contacts, campaigns, appointments | Dedicated servers in Germany (EU) |
| Files and media sent through your channels | European Union |
| Backups | European Union |
| Account sign-in | Firebase Authentication (Google), EU regions |
| AI processing of message content | Some model providers are outside the EU. Each one is named on our sub-processors page |
The last row is the honest caveat worth repeating to a client: the conversation data lives in the EU, but generating an AI reply means sending that message text to a model provider, and some of those are US based. We name every one of them rather than bury it.
Who Can Access It
Your data is yours. We access it only to operate the service and to help you when you ask us to, for example when you report a problem with a specific conversation.
- DM Champ is run by a small team. Access to production systems is limited to the people who operate it, and is granted with SSH keys only. Password logins are switched off, so there is no password to guess or leak.
- The database is not reachable from the public internet. It accepts connections only from our own application servers.
- Your account can be protected with two factor authentication using any standard authenticator app.
- API keys are stored hashed. We cannot read your key back, which is why the app shows you only the first and last few characters after you create one.
How the Platform Is Protected
- All traffic to and from the platform is encrypted in transit using TLS.
- Cloudflare sits in front of our websites and API, providing DDoS protection and blocking malicious traffic before it reaches us.
- Repeated failed login attempts against our servers are detected and blocked automatically.
- Administrative interfaces are not exposed to the public internet. We keep the number of services reachable from outside deliberately small, and review it.
Backups and Recovery
The database is backed up every day and the last seven daily backups are kept, all stored in the European Union. Alongside those, we continuously archive the database transaction log, which means we can restore to a specific moment in time rather than only to last night's copy.
We have tested this. In a restore drill we rebuilt the database from backups to a chosen past timestamp and confirmed the result matched that moment, on isolated hardware, without touching production.
Sub-Processors and Transfers
We publish the full list of the 19 providers we rely on, what each one does, and where the data sits, at dmchamp.com/subprocessors. That page is written to be shared with a client.
Before any new provider begins processing your data, we give at least 14 days notice, and you can object. Where a provider is outside the EU, the transfer is covered by Standard Contractual Clauses, and we will provide copies on request.
Your Data, Your Rights
Our Terms already contain a full data processing agreement that meets Article 28 of the GDPR. It applies to every customer automatically and does not need to be signed to be binding.
If a client's procurement process needs a signed copy naming their own company, they can generate a counter signed one instantly at dmchamp.com/dpa. You can export your data from the app at any time, and ask us to delete your account and its data.
What We Do Not Claim
Those certifications are an audit programme that a team of our size has not undertaken. Anyone who claims them should be able to show you the report, so ask. What we can do is answer specific questions directly and honestly, including the uncomfortable ones.
If a client's security review needs a particular control described or evidenced, email us and we will tell you what is in place, and what is not.
Reporting a Security Issue
If you believe you have found a security problem, please tell us at [email protected]. We read every report and will get back to you within two business days.
We welcome good faith research and will not pursue legal action over it. Please do not run tests that degrade the service for other customers, and please do not access or modify data that is not yours.
If a client's security review asks a question this page does not answer, email [email protected] and we will answer it directly.