Studio/Legal/Trust

Data &
trust.

Last reviewed07 May 2026
DocumentSG-LEGAL-008
EncryptionAES-256 / TLS 1.2+
Breach SLA24h to clients · 72h to AKI

SOLGREEN — Data & Trust

Plain English: One-page summary of how we handle security, privacy, and operational risk. The aim is for a procurement team to read it once and understand the shape of how we operate.

Last updated: 2026-05-07

1. At a Glance

Topic Position
Legal entity SOLGREEN OÜ (Estonian private limited company)
Registry code 16360195
Headquarters Tartu mnt 67/1-13b, 10115 Tallinn, Estonia
Founded 8 November 2021
Data sale / sharing for advertising None
Third-party advertising or social trackers on the Site None
Cookies set on the marketing Site 3 (all first-party)
AI vendor training on Customer data Contractually prohibited
Encryption at rest AES-256
Encryption in transit TLS 1.2+
Multi-factor authentication on admin accounts Required
Public DPA template /dpa
Public sub-processor list /subprocessors
Vulnerability disclosure security@solgreen.ee + /.well-known/security.txt
Status page status.solgreen.ee
Personal data breach SLA to clients Within 24 hours of confirmation
Personal data breach SLA to regulators Within 72 hours where required (Andmekaitse Inspektsioon for Estonian-touching breaches)
Certifications SOC 2 Type I in progress (target ); subprocessors hold SOC 2 Type II / ISO 27001
Accessibility WCAG 2.2 AA — partially conforms (statement)
Estonian supervisory authority Andmekaitse Inspektsioon (AKI) — aki.ee

2. Information Security

Plain English: A layered set of controls — encryption, access, monitoring, vendor due diligence, and incident response — designed to protect Personal Data and Confidential Information end-to-end.

2.1 Encryption

  • In transit: TLS 1.2 or higher with strong cipher suites; HSTS enabled on solgreen.ee
  • At rest: AES-256 or equivalent for all systems holding Personal Data
  • Key management: Reputable cloud KMS with role-based access; keys rotated on a defined schedule; HSM-backed where supported

2.2 Access Control

  • Need-to-know: Access to client environments is named, time-bounded, and logged
  • MFA: Required on all administrative accounts and on accounts with access to Personal Data
  • Least privilege: Role-based access controls (RBAC); periodic access reviews
  • Joiner / mover / leaver: Documented process; access revoked at engagement end and at offboarding within one (1) business day
  • Single sign-on (SSO): Used wherever supported by the underlying tool

2.3 Endpoint Security

  • Centrally-managed devices (mobile device management)
  • Full-disk encryption on every endpoint
  • Remote wipe enabled
  • Approved-software baseline; unauthorized installs blocked or alerted

2.4 Network and Application Security

  • Hardened cloud infrastructure (Railway for application hosting; Cloudflare for DNS/CDN/edge security)
  • Segmented environments (development / staging / production)
  • Web application firewall via Cloudflare on the marketing Site
  • DDoS mitigation via Cloudflare

2.5 Logging and Monitoring

  • Tamper-evident audit logs of access to Personal Data
  • Monthly log reviews by the engineering lead
  • Engagement close-out audits before access is revoked
  • Anomalous-activity alerts on critical systems

2.6 Vulnerability Management

  • Periodic vulnerability scanning of SOLGREEN infrastructure
  • Patching SLAs: Critical within 7 days, High within 30 days, Medium within 60 days
  • External penetration test cadence:

2.7 Backup and Disaster Recovery

  • Encrypted backups with defined retention and rotation
  • Documented business-continuity and disaster-recovery procedures
  • Recovery-time objective (RTO) and recovery-point objective (RPO) available to clients on request under NDA

3. Privacy

Plain English: Privacy is engineered in, not bolted on. We collect what we need, name our vendors, and we're explicit about how international transfers work.

  • Privacy Policy: /privacy — including GDPR, UK GDPR, Estonian PDPA, CCPA/CPRA, FADP, and AI processing sections
  • Cookie Policy: /cookies — minimal first-party cookies, no third-party trackers
  • Data Processing Agreement: /dpa — public template incorporating EU SCCs, UK Addendum, Swiss Addendum, and CCPA service-provider/contractor certification
  • Sub-processor list: /subprocessors — Railway, Cloudflare, Resend, GitHub
  • International transfers: EU SCCs (Decision 2021/914) Module 2 / Module 3, UK IDTA, Swiss Addendum; Transfer Impact Assessments completed for the United States
  • Data subject rights: privacy@solgreen.ee; 30-day response (45 days for CCPA/CPRA) with reasonable extensions
  • Estonian supervisory authority: Andmekaitse Inspektsioon (AKI) — aki.ee
  • Global Privacy Control: Honored
  • Data sale / cross-context behavioral advertising: None

4. AI Governance

Plain English: We build AI products for clients (RAG, agents, automation) and use AI tools internally. We don't let AI vendors train on customer data. We tell you which tools we used. We follow the EU AI Act.

This section addresses our obligations under the EU AI Act (Regulation (EU) 2024/1689), in particular Articles 5 (prohibited practices), 25 (responsibilities along the AI value chain), and 50 (transparency).

4.1 What we use AI for

  • Internal: Code-generation assistance, documentation, summarization
  • Client deliverables: We design and build AI products on behalf of clients — RAG systems, autonomous agents, AI workflows, on-site assistants, operator consoles. Specific AI vendors used for an engagement are named in the SOW and added to the public Subprocessor list while the engagement is active.

4.2 No training on customer data

All AI vendors we use are contractually committed not to train, retrain, or fine-tune their models on customer inputs/outputs. Where this is not technically feasible for a specific vendor, we obtain the relevant client's written consent before processing any data with that vendor.

4.3 Transparency (Article 50)

Where SOLGREEN deploys an AI system that interacts with natural persons, or generates synthetic audio, image, video, or text content that is published, we ensure transparency consistent with Article 50:

  • AI systems that interact with humans are clearly identified as AI
  • AI-generated content is labeled where required For deliverables we hand off to clients, we document AI involvement so the client (as deployer) can satisfy their own Article 50 obligations.

4.4 Human oversight

A human reviews AI-assisted outputs before delivery. Final editorial control rests with the client.

4.5 Prohibited uses

We will not use AI to (a) make decisions producing legal or similarly significant effects on individuals without human oversight; (b) generate non-consensual intimate imagery; (c) create deceptive deepfakes; (d) infer sensitive attributes from non-sensitive inputs; (e) any use prohibited by Article 5 of the EU AI Act.

4.6 Value-chain responsibilities (Article 25)

Where SOLGREEN sits in the AI value chain as a deployer, modifier, or component supplier, we will provide downstream parties with the information they need to fulfill their own AI Act obligations.

4.7 High-risk AI systems

If an engagement involves an Annex III high-risk AI system, the SOW identifies it as such and the parties agree the additional obligations applicable to providers and deployers under Articles 8–17 of the EU AI Act.

5. Personnel Security

Plain English: Our team is bound to confidentiality, trained on privacy and security, and screened where the law allows.

  • Background checks where permitted by law
  • Confidentiality and data-protection clauses in every employment and contractor agreement
  • Engagement-specific NDAs at the workspace and document level
  • Mandatory privacy and security training on onboarding and annually
  • Tabletop exercises on incident response

6. Vendor Management

Plain English: We vet our vendors and we don't onboard one without a security and privacy review.

  • Vendor due-diligence screen before onboarding (security questionnaire, certifications, DPA review, transfer-mechanism review)
  • Preference for vendors with SOC 2 Type II, ISO/IEC 27001, or equivalent certifications, plus regional data-residency options
  • Quarterly review of the sub-processor list
  • 30-day public notice for material sub-processor changes
  • Right of clients to object on data-protection grounds

7. Incident Response

Plain English: A written plan, named owners, fast notification, and a post-incident report within 14 days.

Stage Action
Detection Alert via monitoring, vendor notification, or human report
Triage Incident coordinator assesses severity within 2 hours
Containment Compromised credentials rotated, affected systems isolated
Notification Affected clients within 24 hours of confirmation; supervisory authorities (AKI for EU/Estonian-touching breaches) within 72 hours where required
Eradication Root-cause analysis; remediation deployed
Recovery Systems restored from clean state; access reissued
Post-incident report Delivered within 14 days; root cause, corrective actions, lessons learned

8. Vulnerability Disclosure

Plain English: If you find a security issue, please tell us. We commit to triaging within 5 business days and not pursuing legal action against good-faith researchers.

We welcome responsible disclosure of security issues from researchers and the public.

  • Contact: security@solgreen.ee
  • Encryption: PGP key available at /.well-known/security.txt
  • Scope: All *.solgreen.ee domains and the production marketing Site
  • Out of scope: Third-party services (please report to those vendors directly), social-engineering attempts, denial-of-service testing, physical security
  • Acknowledgment: Within 5 business days
  • Triage: Within 10 business days
  • Resolution: Tracked through our standard patch SLAs (Critical 7 days, High 30 days, Medium 60 days)
  • Safe harbor: We will not pursue legal action against researchers who act in good faith, do not access Personal Data beyond what's necessary to demonstrate the issue, and disclose responsibly

9. Service Availability

Plain English: We don't run a SaaS product, but our marketing Site has stability targets and a public status page.

  • Public status page: status.solgreen.ee
  • Site availability target: 99.9% monthly (marketing Site)
  • Client-facing tools: Underlying SLAs governed by the relevant vendors (Railway, Cloudflare, GitHub, Resend); see Subprocessors
  • Maintenance windows: Announced in advance via the status page

10. Compliance Posture

Plain English: Where we stand on the certifications and frameworks our larger clients ask about.

Framework Status
GDPR / UK GDPR Article 28 alignment via published DPA; SCCs / IDTA in place; Estonian-establishment lead supervisory authority is AKI
Estonian Personal Data Protection Act Compliant; AKI named as supervisor in Privacy Policy
Swiss FADP Swiss Addendum to SCCs in place
CCPA / CPRA Compliant for California residents; "Do Not Sell or Share" link in footer; service-provider/contractor certification in DPA
EU AI Act Article 50 transparency obligations honored; Article 25 value-chain obligations addressed; Article 5 prohibited-practice list excluded
ISO/IEC 27001 Not certified; controls aligned with the standard's domains
SOC 2 Type I In progress (target )
SOC 2 Type II Roadmap — following Type I
WCAG 2.2 AA Partially conforms (statement)
EU Accessibility Act Awareness on client deliverables; in-scope deliverables flagged in SOWs

11. Documents and Resources

Document URL
Privacy Policy
Cookie Policy
Terms of Service
Data Processing Agreement
Sub-processor list
Accessibility Statement
Impressum / Õigusteave
Security disclosure (security.txt)
Status page
Estonian Business Register entry

For documents requiring a non-disclosure agreement (security questionnaires, internal policies, audit reports) please contact security@solgreen.ee.

12. Contact

Topic Email
General hello@solgreen.ee
Privacy / data subject rights privacy@solgreen.ee
Security disclosures security@solgreen.ee
Accessibility accessibility@solgreen.ee
Legal notices legal@solgreen.ee
Postal SOLGREEN OÜ, Tartu mnt 67/1-13b, 10115 Tallinn, Estonia