Version 1 | Effective Date: March 1, 2026
Trust & Safety
Targetwise.AI provides payment verification infrastructure to financial institutions, payment service providers, and enterprise organisations worldwide. Security, privacy, and regulatory compliance are foundational to how we build and operate our platform.
This page outlines our approach to data protection, infrastructure security, application security, regulatory compliance, data processing practices, and organisational controls.
GDPR Compliant · ISO 27001 Certified · PSD2 Ready · AML Aligned · API-First Architecture
Data Architecture & Storage
Targetwise.AI is designed around a stateless verification model. Sensitive financial data submitted through our API is processed in real time and is not persisted after the verification response is delivered.
Infrastructure
Targetwise.AI is hosted on dedicated servers operated by Hetzner Online GmbH in Germany, with data centre presence in Falkenstein and Nuremberg. All infrastructure runs within isolated network environments. No database endpoints are publicly exposed. Data residency remains within the European Union at all times.
Encryption
Data in transit is protected using TLS 1.2 or higher, with TLS 1.3 as the preferred protocol. Data at rest is encrypted using AES-256. Encryption keys are subject to strict access controls and are rotated on a defined schedule.
Stateless Processing
Targetwise.AI does not store IBANs, bank account numbers, account holder names, or other sensitive financial identifiers submitted through the API. Verification requests are processed in memory and discarded upon delivery of the response. Only anonymised request metadata — including timestamps, response status codes, and request volumes — is retained for the purposes of billing and operational diagnostics.
Data Retention
API request and response payloads are not stored. Anonymised usage logs are retained for 90 days before automatic deletion. Client account and billing data is retained for three years from the date of last login, or six years where required for fiscal record-keeping under United Kingdom tax law. Data associated with continuous monitoring subscriptions is retained for the duration of the active subscription.
Request Lifecycle
Each API request follows a four-stage lifecycle. First, the client system transmits a request over an encrypted TLS connection. Second, the request is authenticated against the client’s API key and subject to rate limiting. Third, the submitted data is verified in real time against official government registries and banking sources. Fourth, the structured verification result is returned to the client and all sensitive request data is purged. No personally identifiable information is retained.
Targetwise.AI does not function as a data repository. We verify and respond. The only information we retain is what is strictly necessary for billing, platform diagnostics, and — where the client has subscribed — ongoing monitoring alerts.
Infrastructure Security
Targetwise.AI applies a defence-in-depth approach, with multiple overlapping layers of protection from the network perimeter through to the application core.
Network Protection
All infrastructure operates within isolated network environments protected by firewall rules that restrict traffic to authorised sources only. A Web Application Firewall is deployed at the network edge. Automated DDoS mitigation is active at all times.
Penetration Testing
Independent third-party penetration tests are conducted on an annual basis. Findings classified as critical or high severity are remediated within 72 hours. Summary reports are available to enterprise clients under a non-disclosure agreement.
Vulnerability Management
Automated vulnerability scanning runs continuously across both application and infrastructure layers. All software dependencies are monitored for known CVEs. Our patch management policy requires critical vulnerabilities to be addressed within 24 hours and high-severity issues within seven days.
Incident Response
Targetwise.AI maintains a documented incident response plan with clearly defined severity classifications. For incidents classified as P1, the response is initiated within one hour and affected clients are notified within four hours. A root cause analysis and post-incident review is published within five business days of resolution. Where required under GDPR, breach notifications to the relevant supervisory authority are made within 72 hours.
Monitoring and Logging
Infrastructure and application monitoring operates continuously with automated alerting. Logs are centralised and maintained as tamper-proof audit trails. All access to production systems is recorded and subject to periodic review.
Disaster Recovery
Servers are deployed in a redundant configuration with automated failover capability. The Recovery Point Objective is one hour. The Recovery Time Objective is four hours. All backups are encrypted and stored at a physically separate location within Germany.
Application Security
Security controls are integrated into every stage of the software development lifecycle.
Authentication and Access Control
All API access is authenticated using client-specific API keys. Rate limiting is enforced on a per-endpoint basis. IP whitelisting is available for enterprise accounts. The client dashboard enforces role-based access control with configurable permission levels.
Secure Development Practices
All code changes undergo peer review prior to merge. Static application security testing runs automatically on every pull request. Software dependencies are scanned for known vulnerabilities on each build. Architectural changes require a dedicated security review before approval.
Input Validation
All data received through the API is validated against defined schemas, typed, and sanitised before processing. The platform is hardened against the OWASP Top 10 vulnerability categories, including SQL injection, cross-site scripting, and cross-site request forgery.
Third-Party Data Sources
All connections to upstream data providers — including government registries and banking networks — are established over encrypted channels. Third-party services are subject to a security assessment prior to integration. Vendor access permissions are scoped to the minimum required and reviewed on a quarterly basis.
Compliance and Regulatory Alignment
Targetwise.AI is engineered to meet the compliance requirements of financial institutions, payment service providers, and regulated enterprise organisations.
GDPR — Compliant
Targetwise.AI is fully compliant with the General Data Protection Regulation. Data Processing Agreements are available to all clients upon request. The lawful basis for processing is legitimate interest for business-to-business data and contractual necessity for client account data. Requests for data erasure are honoured within 30 days.
PSD2 — Ready
Targetwise.AI’s verification services are designed to support PSD2 Strong Customer Authentication and Confirmation of Payee workflows for regulated payment institutions.
AML and KYB — Aligned
Company verification data is sourced directly from official government registries and supports Know Your Business requirements under the Fourth, Fifth, and Sixth Anti-Money Laundering Directives. Beneficial ownership data is available in jurisdictions where disclosure is mandated by law.
ISO 27001 — Certified
Targetwise.AI operates a certified Information Security Management System in accordance with ISO 27001. This includes systematic risk assessment, the implementation and maintenance of security controls, and a programme of continuous improvement.
SOC 2 Type II — Planned
A SOC 2 Type II audit is scheduled for the second half of 2026. Existing controls are designed and operated to satisfy the Trust Service Criteria for security, availability, and confidentiality.
Targetwise.AI provides a standard Data Processing Agreement compliant with GDPR Article 28 to all clients. Enterprise clients may request customised terms. Requests should be directed to [email protected].
Data Processing Summary
The following table summarises what data Targetwise.AI processes, whether it is stored, and applicable retention periods.
| Data Type | Processed | Stored | Retention |
| IBANs and account numbers | Yes — for verification | No | Purged immediately after response |
| Payee and account holder names | Yes — for matching | No | Purged immediately after response |
| VAT numbers | Yes — for validation | No | Purged immediately after response |
| API request metadata | Yes | Yes — anonymised | 90 days |
| Client account and billing information | Yes | Yes | 3 years from last login; 6 years for fiscal records |
| Continuous monitoring subscriptions | Yes | Yes — tracked entities only | Duration of active subscription |
| Payment card details | No — handled by third-party payment processor | No | Not applicable |
Sub-Processors
Targetwise.AI engages a limited number of sub-processors in the delivery of its services. These include Hetzner Online GmbH (Germany) for dedicated server hosting and infrastructure, third-party payment processors for client billing, and a defined set of government registry and banking network providers for upstream verification data. A complete list of sub-processors is included in the Data Processing Agreement. All sub-processors are bound by contractual data protection obligations that are equivalent to those maintained by Targetwise.AI.
Organisational Security
Technical controls are only effective when supported by strong organisational practices and a culture of security awareness.
Personnel Vetting
All employees and contractors with access to production systems are subject to background verification. Non-disclosure agreements are required as a condition of engagement.
Security Awareness
Security awareness training is mandatory for all personnel upon onboarding and is repeated on an annual basis. Simulated phishing exercises are conducted quarterly to reinforce secure behaviour.
Access Governance
Access to production systems is reviewed on a quarterly cycle. The principle of least privilege is enforced across all platforms and environments. Multi-factor authentication is required for all internal tools, cloud services, and infrastructure access.
Endpoint Protection
All corporate devices are enrolled in an endpoint detection and response programme. Full-disk encryption is mandatory. Automatic screen lock policies are enforced on all managed devices.
Business Continuity
Targetwise.AI maintains a documented business continuity and disaster recovery plan. The plan is tested annually. Key-person dependencies are addressed through cross-training and comprehensive operational documentation.
Responsible Disclosure
Targetwise.AI welcomes reports from security researchers who identify potential vulnerabilities. Responsible disclosure submissions can be directed to [email protected]. All reports are acknowledged within 48 hours.
Contact
For security enquiries, vendor assessment questionnaires, requests for documentation under NDA, or to schedule a review with our security team, please contact:
Targetwise.AI is operated by Global Data Intelligence Limited.
Company number: 09410808
Registered address: Artisans’ House, 7 Queensbridge, Northampton, Northamptonshire, United Kingdom, NN4 7BF
Check other pages
