✨ Swat.io AI: New smart features for easier social media management Learn more now
Swat.io Compliance Hub

You ask the right questions. Here are the real answers.

This hub gives your legal and procurement teams everything they need – without the back-and-forth.
🛡

GDPR Conform

DPA available including list of sub-processors
🏅

ISO 27001 Certified

Current certificate • Excellent security posture
🤖

EU AI Act Ready

Limited risk AI • Future-Proof Compliance
♿

Accessible Product

WCAG 2.1 AA aligned
🏦

DORA Ready

Financial sector compliance
☁

EU Hosting

EU Data Residency • GDPR compliant

GDPR & Data Protection

As a data processor under GDPR, we sign a Data Processing Agreement (DPA/AVV) with every customer who uses Swat.io to manage social media content involving personal data. We've been doing this since 2018.

  • GDPR Compliant Since 2018
  • Dedicated Data Protection Officer (DPO)
  • EU Data Hosting
  • Standard Data Processing Agreement Available (EN & DE)
  • DPA review for Custom Plan clients
  • Technical & Organizational Measures (TOMs) Documented & Reviewed Annually

IT Security & TOMs

ISO Certification covers the full Swat.io service lifecycle—from software development and cloud operations to customer support and infrastructure management.

  • ISO/IEC 27001:2022 Certified
  • Annual Independent Penetration Testing
  • AES-256 Encryption at Rest
  • TLS 1.2+ Encryption in Transit
  • 99.5% Uptime SLA
  • Two-Factor Authentication (2FA)

DORA

The Digital Operational Resilience Act requires financial entities to manage ICT third-party risk. As a software provider to banks and regulated entities, we have a standard DORA supplementary agreement in place.

  • DORA Supplementary Agreement Available
  • Defined Incident Reporting Commitments
  • Transparent Sub-Contractor Information
  • Security & Due Diligence Questionnaires Supported
  • Client-specific adaptations negotiable

EU AI Act

Swat.io uses AI to help social media teams draft content and manage workflows. Under the EU AI Act, these use cases are classified as low-risk and are supported by transparency, human oversight, and internal governance measures.

  • Swat.io is a Deployer of AI systems
  • AI features classified as low-risk
  • Transparency for AI-assisted content
  • Human oversight of AI-generated outputs
  • Internal AI governance and policies
  • No high-risk AI systems deployed
  • No prohibited AI practices used

EU Accessibility Act

Inclusivity matters to us. While the European Accessibility Act does not currently apply to Swat.io, we have invested in accessibility to ensure our application is usable by as many people as possible.

  • European Accessibility Act Scope Assessment Completed
  • Accessible Product
  • WCAG 2.1 AA Aligned
  • Keyboard Navigation Supported
  • Screen Reader Compatibility Tested
  • Accessibility Considered Throughout Product Development

Key Documents

Data Processing Agreement (DPA)

Our standard DPA for GDPR-compliant data processing. Available in German and English.

ISO 27001 Certificate

Current ISO/IEC 27001:2022 certification covering our full SaaS platform.

Technical & Organisational Measures (TOM)

Detailed documentation of our security controls and compliance measures.

General Terms & Conditions (GTC)

Our GTC governing the use of Swat.io and service terms. The term "Enterprise" refers to the current license "Custom".

Privacy Policy (Customers)

Privacy policy covering how we handle customer data and personal information.

Privacy Policy (Website)

Privacy policy for visitors to our website and online platforms.

Our Measures – Your Benefits

Highest data protection standards

We comply with all the requirements of the GDPR to ensure optimum protection of your information.

Deletion routines

Set individual frequencies when personal data (comments, messages) is automatically deleted from Swat.io, thereby fulfilling an important requirement of the GDPR.

Access tokens

Authenticate users and restrict their permissions to prevent unauthorized access to your social media profiles.

2-factor authentication

Secures account access using a password and additional authentication via the app.

Comprehensive authorization options

Define which users can perform which actions in the account. These include approvals, changes to posts and tickets, and much more.

Activity log

Provides an overview at any time of what changes, approvals, etc. regarding posts and tickets were made, by whom and when.

Secure data transmission and backups

Standardized transmission methods and regular backups ensure that your data remains secure and available, even in the case of unforeseen events.

Ongoing audits and reviews

Internal and external audits ensure that our security measures meet current standards and are continuously improved to protect your data in the long term.

Servers located in the EU

We store your data on servers in the EU that comply with the strict requirements of the GDPR to ensure maximum security and legal compliance.

Risk management

We review potential risks regularly and minimize vulnerabilities at an early stage, so that you are also optimally protected against future threats.

Planned emergency measures

Detailed emergency plans ensure rapid recovery in the case of unforeseen events and ensure business continuity.

Clear responsibilities

An Information Security Officer and a Data Protection Officer deal specifically with all aspects of information security and data protection.

Frequently Asked Questions

Is Swat.io GDPR-compliant?

Yes. Swat.io is GDPR-compliant and has been since 2018. Our standard DPA is available in German and English for all our clients. For clients on our Custom plan, we are open to discuss individual requirements.

Where does Swat.io store data? Is it in the EU?

Our core platform infrastructure and customer data processing are designed to remain within the EU, helping customers meet their data residency and GDPR requirements. We apply technical, organizational, and contractual safeguards to protect customer data and support ongoing compliance.

Does Swat.io provide a list of sub-processors?

Yes. The current list of subprocessors that we are using as processor, is available in Annex 1 / Article 6. of our DPA. We notify all active customers at least 30 days before adding or replacing any sub-processor, as required under our DPA. Customers who have specific objections to new sub-processors can raise these within the notification period. For further information, please visit swat.io/legal.

Is Swat.io ISO 27001 certified? Can we see the certificate?

Yes. Swat.io holds an ISO/IEC 27001:2022 certification covering the full SaaS platform. The current certificate is available for download under "Key Documents" on this page.

What encryption standards does Swat.io use?

All data at rest is encrypted using AES-256 via AWS KMS. All data in transit is encrypted with TLS 1.2 or higher. Backups are encrypted and stored offsite daily.

Does Swat.io offer a DORA supplementary agreement?

Yes. Swat.io has a standard DORA supplementary agreement in place for clients in the financial sector. Client-specific adaptations are possible for Custom plan clients. Please contact your Account Manager or reach out below to send an email.

Does Swat.io do penetration testing? Can we see the report?

Yes. Swat.io conducts an annual penetration test performed by an independent third-party provider.

How does Swat.io handle data deletion requests?

Swat.io processes data deletion requests in accordance with Article 17 GDPR (Right to Erasure). Requests are fulfilled within 30 days and include the removal of personal data from the Swat.io platform and applicable sub-processors. Once the process is completed, we provide written confirmation. For account-level deletion requests, please contact privacy@swat.io.

How does the EU AI Act affect Swat.io?

Swat.io uses third-party AI models to power features such as content creation, content optimization, reply suggestions, and workflow assistance. These use cases are classified as low-risk under the EU AI Act and do not involve high-risk or prohibited AI systems.

We are committed to responsible AI use through transparency, human oversight, and internal governance. AI-generated content is presented to users for review and approval, giving customers full control over what is ultimately published or sent. We regularly assess our AI features and processes to ensure alignment with applicable EU AI Act requirements.

Does NIS 2 affect Swat.io?

Swat.io is currently not in scope as a designated operator under NIS 2 or the Austrian NISG 2026. However, we apply NIS 2–aligned security and resilience practices to all systems, including annual risk assessments, penetration testing, and incident reporting and business continuity plans that align with NIS 2 timelines.

Does Swat.io carry liability insurance?

Yes. Swat.io carries professional indemnity and general business liability insurance, covering claims arising from our IT and SaaS activities, data protection violations, and third-party cyber incidents.

Further questions? Just reach out

If your legal question isn't covered here, drop us an email. We will figure it out together.

Swat.io is ISO 27001 certified

Your Data. Our Responsibility.

We know that, for your business, information is the foundation on which everything rests. Now with ISO 27001 certification, Swat.io can be relied upon as your trusted partner to protect this foundation in the best possible way.

ISO 27001
Secure. Diligent. Standardized.

ISO 27001 is a globally recognized standard for information security management systems. It gives you confidence that protecting your data is our priority and that we ensure your data security through defined processes and clear responsibilities. We have designed our structures in such a way as to minimize any risks and identify them at an early stage.

Requirements for certification

The certification may only be issued by accredited certification bodies. Independent auditors take a close look at technologies, processes and security measures. To receive the certification, our information security management system must meet the requirements of the standard and we must implement and document them on a continual basis, thereby demonstrating our commitment to your data security.