BioSonic AB (org.nr 559472-8056) operates the BioSonic platform at biosonic.io and bat.biosonic.se. The platform processes bat acoustic recordings — ultrasonic wildlife audio, not personal communications — and the classification results derived from them. The practices below describe how we keep that data and your account safe. Every claim on this page reflects how the service is run today; where something is on our roadmap rather than in place, we say so plainly.
1. EU Data Residency
Your account data and uploaded recordings are stored and processed within the EU/EEA and the UK. We do not move customer data to other regions to run the core service.
- Compute, storage & backups — Amazon Web Services in EU Stockholm (
eu-north-1) and UK London (eu-west-2). - Database & authentication — Supabase, hosted in the EU.
- Frontend hosting & edge delivery — Vercel, served from EU edge locations.
- Product analytics — PostHog Cloud EU (
eu.i.posthog.com). - Encrypted off-site backups — a Swedish colocation provider.
Where a sub-processor's parent entity sits outside the EEA, any onward transfer is governed by Standard Contractual Clauses and, for the UK, the EU–UK adequacy decision. See our Privacy Policy for the full international-transfers position.
2. Encryption
In transit. The marketing site and the application are served exclusively over HTTPS/TLS. Browser-to-server traffic, including uploads and authenticated sessions, is encrypted using modern TLS terminated by our hosting providers.
At rest. Customer recordings and database contents are stored on managed EU infrastructure (AWS and Supabase) that encrypts data at rest, and off-site backups are kept encrypted with a Swedish colocation provider.
Credentials. Account passwords are never stored in plain text — they are hashed. Authentication is handled by Supabase.
3. Access Controls
- Account-based access. Access to data in the platform is scoped to your account and organisation. You are responsible for keeping your credentials confidential and for activity under your account.
- Single sign-on. Microsoft Azure SSO is supported, so organisations can manage access through their own identity provider.
- Least-privilege operations. Internal access to production systems is limited to what is needed to run and support the service.
- Suspected compromise. If you believe an account has been accessed without authorisation, email hello@biosonic.se immediately and we will help you secure it.
4. Infrastructure & Hardening
BioSonic runs on managed, EU-based cloud infrastructure (AWS, Supabase, Vercel) rather than self-hosted servers, so platform-level patching and physical security are handled by providers with mature security programmes. On top of that, our pages are served with browser-side hardening, including:
- A strict Content-Security-Policy that restricts where scripts, styles, fonts, frames, and network connections may load from.
frame-ancestors 'self'to limit who can frame our pages and reduce clickjacking risk.object-src 'none'andbase-uri 'self'to cut off plugin-based and base-tag injection attack surface.
These are defence-in-depth measures applied at the edge, in addition to the providers' own controls. We continue to tighten our security headers over time.
5. Sub-processors
We do not sell customer data. We share data only with the sub-processors below, each bound by a data processing agreement. This list mirrors the canonical one in our Privacy Policy, which is the authoritative source and is updated with 30 days' notice of any change (GDPR Art. 28(2)).
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Compute, storage, backups | EU Stockholm (eu-north-1), UK London (eu-west-2) |
| Supabase | Managed PostgreSQL database & authentication | EU |
| Vercel | Frontend hosting & edge delivery | EU edge |
| Google Workspace (Gmail) | Business email | EU data region |
| PostHog Cloud EU | Product analytics | EU (eu.i.posthog.com) |
| Swedish colocation provider | Encrypted off-site backups | Sweden |
6. GDPR & Data Protection
BioSonic AB is the data controller for personal data processed through the platform and processes data in line with the EU GDPR and UK GDPR. In practice that means:
- Defined legal bases for every processing activity (contract, legitimate interests, consent, legal obligation).
- Data subject rights — access, rectification, erasure, restriction, portability, and objection — honoured on request.
- Data minimisation: uploaded audio is ultrasonic wildlife recording, not personal communications.
- Sub-processors bound by data processing agreements, with international transfers covered by SCCs and the EU–UK adequacy decision.
- Supervisory authorities: IMY (Sweden, primary) and the ICO (UK, secondary).
Enterprise customers can request a Data Processing Agreement (DPA), which can also override default AI-training behaviour. The full detail lives in our Privacy Policy.
7. Data Retention & Deletion
We retain your account data and uploaded recordings for the life of your contract. On termination or a deletion request, you may export your data within 30 days, after which we delete customer data within 90 days — except where law requires retention (e.g. Swedish accounting rules). See Data Retention and the Terms of Service for specifics.
8. Responsible Disclosure
We welcome good-faith security research and will acknowledge reports as quickly as we can. We do not currently operate a paid bug-bounty programme, but we are grateful for, and will credit, researchers who report issues responsibly.
9. Compliance & Roadmap
We want to be precise about what is in place versus what is planned, so that procurement teams can rely on this page:
- In place: EU/EEA & UK data residency, HTTPS/TLS in transit, provider-managed encryption at rest plus encrypted off-site backups, hashed credentials, SSO, GDPR/UK GDPR alignment, DPAs with sub-processors, and edge-level web hardening (a strict Content-Security-Policy).
- On request: a Data Processing Agreement and answers to standard security questionnaires — just contact us.
- Roadmap: formal third-party certifications (for example SOC 2 / ISO 27001) and independent penetration testing are on our roadmap. We do not claim these today; if you have a specific compliance requirement, get in touch and we will tell you exactly where we stand.
10. Security Contact
For security questions, due-diligence requests, a DPA, or a vulnerability report, email hello@biosonic.se.
BioSonic AB
Bergsundsgatan 7, 117 37 Stockholm, Sweden
Org.nr 559472-8056 · VAT SE559472805601
