01
EU-only delivery
Every person on every engagement is based in the EU. Customer data never leaves the EEA.
00Trust
How we handle your data.
We are an EU-based consultancy. We work inside your Workday tenant. We don't move data outside the tenant unless you tell us to. That is the policy.
01Principles
The four things that make every other decision easier.
02
Workday-native by design
We work inside your tenant. We don't store, mirror, or export your data unless you ask us to.
03
Right people, right access
Time-boxed least-privilege access. JIT requests, audit log, MFA without exceptions.
04
Confidentiality is default
Every employee and contractor has signed an NDA. Customer references require written consent.
02Compliance
GDPR-first. Cyber Essentials today, ISO 27001 in summer 2026.
We treat our HR-tech customers' obligations as our own. That means real policies, real training, and real auditors, not just a page on a website.
- GDPR: Data Processing Agreement available on request; subprocessors listed below.
- Cyber Essentials: Certified (UK NCSC), renewed on the annual certification cycle.
- ISO 27001: Certification audit scheduled for summer 2026. ISMS workstream underway with Statement of Applicability and policy stack approved.
- EU AI Act: AI Use Case Register maintained for all production AI features. Position paper available in the procurement pack.
03EU AI Act position
Where we land on the EU AI Act.
The pyramid on the Agents page gives risk, audit and IT teams a shared vocabulary. This is the page that backs it up: how we classify HR AI use cases against Annex III, where the models actually run, and how we run GDPR and the AI Act as one programme rather than two. Built for your internal review, not your marketing wall.
Annex III mapping
Where each kind of HR AI work lands under Annex III. “High-risk” does not mean “off-limits”, it means specific obligations apply, and we design for them upfront.
Use caseAnnex III ref.ClassificationOur posture
Recruitment, candidate ranking, selectionIII.4(a)High-riskOut of scope for our agents. We do not build automated candidate-ranking agents that drive selection decisions.
Performance monitoring, evaluation, behaviour analysisIII.4(b)High-riskAgents prepare evidence and surface patterns. The manager decides. Human-in-the-loop is non-optional.
Promotion, termination, task allocationIII.4(b)High-riskAgents draft proposals routed through Workday business processes. Approval and effective dating sit with humans.
Goal setting, coaching, learning recommendationsIII.3 (adjacent)LimitedTransparency obligations apply. We disclose AI involvement, log interactions, allow opt-out.
Manager Q&A, policy lookup, ticket triagen/aMinimalNo specific AI Act obligations beyond general transparency. Standard governance still applies.
Data quality, org-management hygiene, integration monitoringn/aMinimalInternal HR ops. No individual decisions are taken by the agent.
Model hosting locations
Where the actual inference runs. Customer data does not leave the EEA. No customer data is used to train any model.
Model / runtimeHosted onRegionWhen we use it
Anthropic ClaudeAWS BedrockEU (Frankfurt, Ireland)Default reasoning model for our agents.
OpenAI GPT familyAzure OpenAI ServiceEU (Sweden, Netherlands)Available where customer policy requires it. Same EU isolation.
Workday AI GatewayWorkdayEU (Workday EU region)When the agent uses Workday's native LLM gateway, inference stays inside the tenant region.
Embedding / utility modelsAWS BedrockEU (Frankfurt)Retrieval, classification, content extraction. Same hosting controls.
- No production inference on US-hosted endpoints.
- No customer prompts or completions used for model training. Contractual commitment with every provider.
- Prompts and completions logged inside the customer tenant for audit and evaluation, retained per the customer's policy.
GDPR ↔ AI Act crosswalk
Where the two regulations overlap, we run one programme, not two. The DPIA and the FRIA are one document. The audit log serves both.
GDPRArt. 22: Automated decision-making
AI ActArt. 14: Human oversight
Humans-in-the-loop on every high-risk action. Agents draft; managers approve through Workday business processes.
GDPRArt. 35: Data Protection Impact Assessment
AI ActArt. 27: Fundamental Rights Impact Assessment
One assessment template covering both. Required before any high-risk agent goes live.
GDPRArt. 5: Data minimisation, purpose limitation
AI ActArt. 10: Data and data governance
Context is engineered, not dumped. Only the data the agent needs for the current turn enters the model's window.
GDPRArt. 13 / 14: Information to data subjects
AI ActArt. 13 / 50: Transparency to users
Users are told when they are interacting with an agent and what it can do. Disclosure built into the product, not buried in a policy.
GDPRArt. 32: Security of processing
AI ActArt. 15: Accuracy, robustness, cybersecurity
Same controls. Cyber Essentials controls in operation today; ISO 27001 certification audit scheduled for summer 2026. Evaluation suite gates every release.
GDPRArt. 30: Records of processing
AI ActArt. 12 + 19: Logging & record-keeping
Per-turn audit trail held inside the Workday tenant. Same log answers DPO and AI Office questions.
04Customer engagements
Where customer data lives when we deliver work.
Incubane does not host customer personal data in the default engagement model. Customer data lives in the customer's own Workday tenant under the customer's controls. The rows below describe the supporting tools we use, not subprocessors of Customer Personal Data. New subprocessors of Customer Personal Data require the customer's prior written approval per our DPA.
ProviderPurposeRegion
WorkdayCustomer tenant. All customer data lives here, in the customer's own subscription. Incubane consultants access the tenant under the customer's security model.Customer-selected region
Microsoft 365Email and document collaboration between Incubane and Customer. Touches business-contact data for Customer personnel involved in the engagement only.EU (Ireland, Netherlands)
05Subprocessors · Website visitors
Who touches data from incubane.com visitors.
Separate from customer engagements. Applies to anyone who fills the contact form, registers for the library, books a call, or uses the agent recommend hero. EU-resident where possible; the US-hosted services below are covered by EU Standard Contractual Clauses.
ProviderPurposeRegion
VercelHosts the incubane.com website and serverless functions. Processes contact form and library registration payloads in flight.EU (Frankfurt)
SupabaseStores library registrations, magic-link sessions, contact-form audit log. Authoritative store for visitor accounts.EU (Frankfurt)
ResendDelivers transactional email: contact form notifications and magic-link sign-in emails.EU (Frankfurt)
MailchimpNewsletter list and library lead segmentation. Receives email + name + role from registrations where the user opted in.US — covered by EU Standard Contractual Clauses
Anthropic (direct API)Powers the AI strategy recommendation hero on /services/ai-strategy. Visitor questions only, no personal data attached. Not used for training.US — zero data retention configured
CloudflareTurnstile CAPTCHA on the magic-link signup. Anti-bot only, no profiling cookies.Global edge, EU resolution preferred
Plausible AnalyticsCookieless visitor analytics. No personal data, no cross-site tracking.EU (Germany)
CalendlyLoaded only when a visitor clicks Book a meeting. Booking session data subject to Calendly's policy.US — covered by EU Standard Contractual Clauses
06Reporting
Saw something? Tell us.
Security and privacy issues go to info@incubane.com. We acknowledge inside one business day and follow a published coordinated-disclosure policy.
Need a DPA, a SIG, or a custom security questionnaire?
Send it over. We have a templated response for the common ones and a turnaround target of five business days.