Trust & Security
How we protect your data. EU-hosted, GDPR-compliant, AI-transparent. We publish our security practices openly.
How We Protect Your Data
6 pillars of security aligned with international standards
AI Transparency
See which models reviewed each record, how they voted, and why. No black boxes. EU AI Act Art. 50 compliant. You have access to the full list of models and their capabilities.
Data Protection
Encrypted in transit (TLS) and at rest (AES-256). GDPR-compliant by design. Your data is never used to train AI models. We process data only for the purpose you specify.
Data Residency
All infrastructure is configured for europe-west1 (Belgium) on Google Cloud Platform. Note: AI model evaluations are processed by third-party providers (see Sub-processors).
Payment Security
PCI-DSS SAQ A compliant via Stripe. We never see, store, or process raw card data. All payments are tokenized.
Retention & Deletion
Projects: 60-day grace period. Screenings: 30 days. Accounts: 90 days. After grace period, personal data is anonymized. Billing data retained 7 years per fiscal obligation.
Compliance
GDPR, EU AI Act (August 2026), PCI-DSS (via Stripe), LFPDPPP (Mexico), LGPD (Brazil). SOC 2 on our roadmap. We publish our security practices openly.
Sub-processors
Third-party service providers with Data Processing Agreements (DPAs) in place
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, Cloud Run, Cloud SQL | EU (Belgium) |
| OpenAI | AI model provider | US |
| Anthropic | AI model provider | US |
| Google (Gemini) | AI model provider | US/EU |
| Mistral AI | AI model provider | EU (France) |
| xAI | AI model provider | US |
| Stripe | Payment processing | US/EU |
| Resend | Transactional email | US |
| Firebase | Authentication | US |
Questions about our security?
Our team is here to help. Contact us for a detailed security assessment or to discuss your compliance requirements.