Security

Security at every layer.

Independent audits, encryption by default, and explicit data residency. Built so your security team can sleep.

Trust overview

  • GDPR-aligned
  • DPA on request
  • EU-hosted
  • TLS 1.3
  • AES-256 at rest
  • No training on your data

Security pillars

Encryption

AES-256 at rest, TLS 1.3 in transit, customer-managed keys on Enterprise.

  • AES-256 at rest
  • TLS 1.3 in transit
  • Customer-managed keys (KMS)
  • Per-tenant key isolation

Identity & access

Google & Apple OAuth with optional 2FA enforcement.

  • Google OAuth
  • Apple OAuth
  • Authenticator-app (TOTP) 2FA
  • Session expiry policy

Data residency

All tenant data stays on EU infrastructure (Hetzner). No third-region replication.

  • EU-hosted (Hetzner)
  • Single-region by default
  • Audit-logged configuration changes

Sub-processors

A current list with purpose, region, and DPA links. Updated quarterly.

  • Updated quarterly
  • Notification on additions
  • DPA on every vendor

Data flow

  1. 01

    Client

    Browser or API consumer over TLS 1.3.

  2. 02

    Edge

    Cloudflare WAF + bot management + DDoS shield.

  3. 03

    API

    Authenticated, rate-limited, signed requests.

  4. 04

    Core

    Tenant-isolated workers, encrypted volumes.

  5. 05

    Storage

    AES-256 + per-tenant keys, region-pinned.

Sub-processors

VendorPurposeRegionDPA
Hetzner Online GmbHInfrastructure hosting (compute, storage)EU (Germany)View
Cloudflare, Inc.Edge proxy, DNS, WAFGlobal edgeView
OpenAI, L.L.C.LLM inference (opt-in)USView
Anthropic PBCLLM inference (opt-in)USView

Compliance documents

PDF

Standard DPA

Pre-signed Data Processing Agreement, GDPR Article 28.

420 KBUpdated Mar 2026

Read more in the docs.

Or talk to sales for tailored compliance materials.

Read the docsTalk to sales