Ways Of Being

HOW YOUR COACHING DATA IS HANDLED

Trust & Data Protection

Coaching surfaces a lot of interior life. We treat the data that carries it with the same seriousness.

Where your coaching conversations live

Every Wobot dialog, Innate self-assessment, coaching chat, and mission-assist turn is processed by Mistral AI, a French company whose inference runs on servers located in the European Union. The API endpoint your conversations reach is api.mistral.ai. Your text does not cross into US jurisdiction at any point in the coaching flow.

We chose Mistral specifically because, as a French company under EU law, they are structurally outside the reach of the US CLOUD Act and Schrems-III concerns that apply to American AI providers — not because of contractual assurances, but because of jurisdiction.

Where semantic search lives

When the AI assistant in your workspace needs to retrieve relevant methodology, your question is first converted into a mathematical representation (an "embedding") that the search index can compare against. That conversion also happens at Mistral, in the EU. The search index itself (pgvector) lives on our Hetzner servers in Helsinki, Finland and Falkenstein, Germany.

Honest scope — where OpenAI is still used

We keep one exception transparent: the payroll assistantthat explains payslips and audits pay runs uses OpenAI’s GPT-4.1 Mini model, accessed via the US-based OpenAI API. Payroll conversations are a business-operations surface (HR professionals asking about calculations, not coaching content), and the payslip explainer depends on a complex agentic tool-use loop where OpenAI’s reliability meaningfully exceeds current alternatives. OpenAI is covered by our DPA and opt-out-of-training settings, but this one surface does cross the Atlantic. We name it here rather than hide it.

We never train AI on your content

Both Mistral and OpenAI are configured with training-on-customer-inputs opted out by default. We do not enable any feedback mechanism that would route your conversations into a model improvement dataset. No exception applies to coaching content.

Who can access stored conversations

Mission transcripts, Wobot history, and assessment results are stored in our Postgres database on EU infrastructure, with AES-256-GCM encryption-at-rest on mission narrative and transcript fields. Access is role-based: you, your assigned coach, and HR admins in your own organisation (where the organisation has contracted coaching for its employees) — no one else. Every access is auditable.

Certifications and legal basis

  • Mistral AI: ISO 27001 (information security), ISO 27701 (privacy extension — the one GDPR auditors look for), SOC 2 Type II. Standard, self-serve Data Processing Addendum covering GDPR and Standard Contractual Clauses published at legal.mistral.ai. Their sub-processor list is published at trust.mistral.ai/subprocessors.
  • OpenAI (payroll-only): SOC 2 Type II, ISO 27001, DPA with Standard Contractual Clauses for EU transfers, opted-out of training by default for API usage.
  • Ways of Being: data controller under GDPR for your account and coaching relationship.

Incident response

In the unlikely event of a security incident affecting your data, we commit to notifying affected users within 72 hours of becoming aware, consistent with GDPR Article 33. Our coach roster is trained on confidentiality obligations.

Questions?

Email support@waysofbeing.ai — we answer DPA, data-access, and deletion requests within one business week.

Last reviewed: April 2026. See also our Privacy Policy and Terms of Use.

DemoProspectsMap