Contact us

Completing this form brings you one step closer to meeting Shiftic

Security by design

Built to meet the standards of modern organizations. From encryption and access control to GDPR and flexible deployment.

GDPR & ISO 27001

GDPR-compliant and progressing towards ISO 27001 certification.

Secure Access & Sign-On

Enterprise SSO via SAML and OIDC, as well as Social Sign-On with Microsoft and Google

Data Encryption

Users can only access authorized data. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

No AI Model Training

Agreements with AI subprocessors prohibit use of customer data to train their models.

Trusted Partners

We work with Microsoft, Google, Clerk, and other leading providers to keep data secure.

Flexible Deployment

Shiftic runs as a fully managed SaaS solution, but can also be deployed on your cloud infrastructure if needed.

"Shiftic’s ability to meet our security and infrastructure requirements was a key reason we could move forward. Their team worked closely with ours to make it happen."
Head of Change & Transformation
Global manufacturing company

Frequently asked questions

What happens in the event of a data breach?

Shiftic maintains a formal Incident Response Plan with defined severity levels and escalation procedures. If a breach affects your data, we will notify clients within 72 hours, including a description of what happened, the data involved, likely consequences, and the steps we are taking. Post-incident reviews are conducted to prevent recurrence.

Is Shiftic GDPR compliant, and is there a DPA?

Yes. Shiftic acts as a data processor under GDPR, and you as the customer are the data controller. A Data Processing Agreement (DPA) is included as standard on all plans and enters into force automatically when you activate a subscription — no separate signature required. The DPA is available at shiftic.com/legal/dpa

Where is my data stored and processed?

Shiftic's infrastructure is hosted in data centres within the EU. Data is not transferred outside the EU/EEA except where sub-processors operate under appropriate safeguards as described in our DPA. A current list of sub-processors and their locations is available at shiftic.com/legal/sub-processors

Who can access what is created and uploaded in Shiftic?

Only authorized users in your organization who are explicitly invited to a project can access it. The Shiftic team does not have access to user data, unless permission is given for support cases. Your organisation retains full ownership of all data and content created in Shiftic.

Will our data be used to train AI models?

No. Shiftic does not use your data to train or fine-tune AI models. Our LLM providers are contractually prohibited from training on customer data and operate under a zero-data retention policy — meaning prompts are processed in real time and never logged or reused. This protection applies across the entire chain, not just at the Shiftic level.

How does Shiftic support responsible AI use?

Shiftic is built with privacy by design. Personal identifiers are minimized before content reaches the AI — only the minimum necessary context is included in prompts. The platform actively guides users to anonymize or remove sensitive data when it's detected. Our LLM provider operates under a zero-data retention policy, meaning prompts are processed in real time and never logged or reused. Customer data is never used to train AI models.

What types of data cannot be uploaded?

Shiftic is not designed or certified to handle certain categories of sensitive data. You must not upload or input the following: special categories of personal data as defined under GDPR Article 9 (including health data, biometric data, data revealing racial or ethnic origin, political opinions, or religious beliefs); protected health information under HIPAA or equivalent legislation; financial account numbers, payment card data, or government-issued identifiers such as national ID or social security numbers. If your use case involves sensitive data of this nature, please contact us to discuss whether an Enterprise arrangement may be appropriate.

Does Shiftic support Enterprise SSO?

Yes. Shiftic supports Enterprise Single Sign-On via SAML and OIDC on the Enterprise plan, in addition to OAuth2 Social Sign-On with Microsoft and Google which is available on all plans. Contact us to discuss your identity provider requirements.

What sub-processors do you rely on?

Shiftic uses a defined set of sub-processors for infrastructure hosting, AI model processing, analytics, and transactional communications. All sub-processors are reviewed before onboarding and bound by data processing agreements. We notify customers at least 30 days in advance of any changes. A current list is available at shiftic.com/legal/sub-processors

How do you ensure third-party subprocessors meet your security requirements?

We carefully vet all subprocessors and require them to meet high standards for data protection, security, and legal compliance. Our infrastructure partners hold leading certifications ISO 27001 and SOC 2

What security certifications do your infrastructure partners have?

Our infrastructure partners hold leading industry certifications including ISO 27001 and SOC 2. A full list of sub-processors is available at shiftic.com/legal/sub-processors

Can we run Shiftic in our own cloud environment?

Yes. While Shiftic is typically delivered as a fully managed SaaS solution, we also offer the option to deploy Shiftic in your own cloud infrastructure. Available on our Enterprise Plan, subject to additional fees.

How does Shiftic handle a data breach?

Shiftic maintains a formal Incident Response Plan with defined severity levels and escalation procedures. If a breach affects your data, we will notify you within 72 hours, including a description of what happened, the data involved, likely consequences, and the steps we are taking. Post-incident reviews are conducted to prevent recurrence.

How do I exercise data subject rights?

You can submit requests related to access, rectification, erasure, or portability of personal data by contacting us at privacy@shiftic.com. Shiftic will assist you in fulfilling your obligations as data controller under GDPR, in accordance with the DPA.