How does Symphony protect customer data under LGPD and GDPR?

Symphony operates under Brazil's LGPD and follows GDPR-equivalent standards. Customer data is processed under a valid legal basis with data minimization at every layer. Data is never used to train AI models. Deletion and portability requests are processed within statutory deadlines.

How does Symphony isolate data between clients?

Each Symphony client operates in a fully isolated data environment with dedicated database schemas and separate users. No application role can read or write data outside its assigned client scope. All schema access is logged and periodically reviewed.

What cloud infrastructure does Symphony run on?

Symphony runs entirely on Microsoft Azure infrastructure, including Azure Container Apps for hosting, Azure Key Vault for secrets management, and Azure Container Registry for container images. All connections are TLS-encrypted and secrets are never stored in source code.

Compliance & Privacy

Enterprise security
you can trust

Q: Is Symphony SOC 2 certified?

Symphony is not currently SOC 2 Type II certified. Our controls, documentation and operational processes are designed to meet SOC 2 Trust Services Criteria. We are prepared to pursue formal certification and can provide control documentation for enterprise vendor assessments.

Q: Does Symphony use customer data to train AI models?

No. Symphony uses AI models exclusively for inference. Customer data is never used to train or fine-tune any AI model. Each query sends only the minimum context required to produce the response, and providers process queries in real time only.

Symphony is designed for operations that demand governance, security and regulatory compliance. Every control, every layer of data protection — documented here.

Last updated: May 2026

📜

SOC 2 Readiness

Symphony is not currently SOC 2 Type II certified. Our controls, documentation, and operational processes are designed to meet SOC 2 Trust Services Criteria. We are prepared to pursue formal certification and can provide control documentation for enterprise clients conducting their own vendor assessment.

🔒

Data Privacy — LGPD & GDPR

Symphony operates under Brazil's Lei Geral de Proteção de Dados (LGPD) and follows GDPR-equivalent standards for international clients. We apply data minimization at every layer: only data necessary for the contracted service is collected and processed.

✓Lawful basis: data is processed exclusively under a valid legal basis — contract performance, legitimate interest, or explicit consent.
✓Minimization: only data required for the active service is processed. No surplus collection.
✓Purpose limitation: customer data is used solely to deliver Symphony's contracted features. It is never used to train AI models.
✓Deletion requests: data subject requests (access, correction, portability, deletion) are registered, tracked, and responded to within statutory deadlines.

🛡️

Information Security

Symphony enforces security controls across all layers — application, network, database, and secrets management.

🔐 Encryption

All traffic uses TLS. Database connections enforce certificate-validating TLS (verify-full). Data at rest is encrypted on Azure-managed storage.

🗝 Authentication & MFA

Administrative access requires multi-factor authentication. Service credentials are rotated periodically and never stored in source code.

🏦 Secrets Management

All API keys, connection strings, and tokens are stored in Azure Key Vault. Repositories are scanned to detect any accidental credential exposure.

📡 Continuous Monitoring

Access logs, deploy events, and AI interaction records are retained and reviewable. Anomalous access patterns trigger alerts and investigation protocols.

🏢

Per-Client Data Isolation

Each Symphony client operates in a fully isolated data environment. There is no shared storage, no cross-client queries, and no possibility of one client's data being accessed by another.

✓Dedicated database schemas per client (cliente_XXXXXX), with separate database users and grants.
✓RBAC enforcement: roles and permissions are reviewed on every client onboarding and monthly thereafter.
✓Zero cross-client access: no application role can read or write data outside its assigned client scope.
✓Audit trail: all access to client schemas is logged and periodically reviewed for anomalies.

🤖

Responsible AI

Symphony uses large language models exclusively for inference — generating answers and analyses. Customer data is never used to train or fine-tune any AI model. Each query sends only the minimum context required to produce the response.

✓No training on customer data: AI providers process queries in real time only; data is not retained by the model provider for training purposes under our agreements.
✓Context minimization: only the data required to answer a specific question is included in the prompt. No full-schema dumps or unrestricted exports.
✓Human oversight: AI responses are subject to quality review. Negative feedback triggers investigation and correction cycles.
✓Multi-model strategy: Symphony supports multiple AI providers for resilience. All providers are evaluated against data processing standards before activation.

🚨

Incident Response

Symphony maintains a structured incident response process with defined phases, owners, and evidence requirements.

1Identification: alert source, timestamp, and affected systems are logged immediately upon detection.
2Containment: affected users or tokens are suspended, secrets rotated, and resources isolated within the minimum feasible time.
3Eradication: root cause is corrected, permissions reviewed, and patches applied before any service restoration.
4Recovery: health checks validate full service restoration. Affected parties are notified in accordance with LGPD/GDPR notification obligations.
5Post-incident review: lessons learned are documented, runbooks updated, and controls improved to prevent recurrence.

☁️

Infrastructure & Third-Party Providers

Symphony runs entirely on Microsoft Azure infrastructure, with all primary services hosted in controlled Azure regions. Third-party dependencies are evaluated and controlled to maintain the security boundary.

✓Azure Container Apps — application hosting with RBAC-controlled revisions, secrets integration, and full audit logging.
✓Azure Key Vault — centralized secrets management with access policies and audit logs for every secret access.
✓Azure Container Registry — private container image registry with vulnerability scanning and immutable image tags.
✓Managed database service — TLS enforcement, automated backups, private networking, and encryption at rest.

📋

Data Subject Rights

Symphony provides mechanisms to exercise all data subject rights under LGPD and GDPR. Requests can be submitted by the company's designated administrator or directly by the data subject.

✓Access: confirmation of whether personal data is processed, and a copy of that data.
✓Correction: update of inaccurate or outdated personal information.
✓Deletion: erasure of personal data, subject to legal retention obligations.
✓Portability: export of data in a structured, machine-readable format.
✓Objection: right to object to certain processing activities.

All requests are registered, given a tracking reference, and responded to within the statutory deadline (15 days under LGPD; 30 days under GDPR).

Questions about compliance?

Our team is available to answer questions from DPOs, CISOs, IT managers, and enterprise procurement teams. Send your inquiry and we will respond within 48 business hours.

compliance@whiteweb.com.br

Enterprise securityyou can trust