Security
How we handle your data.
This page is the technical and legal answer to every question a procurement team will ask. We keep it short, plain-language, and current.
Where your data lives
- Default infrastructure: Hetzner Cloud, Germany and Finland (Nuremberg, Falkenstein, Helsinki). EU datacentres only.
- On-prem / private cloud: Available on request. We have shipped engagements that run entirely inside the client network, with management access controlled by the client's existing identity and network controls. If your regulatory posture requires it, this is the model.
- DNS and edge: Cloudflare (anycast, EU routing preferred). TLS termination at the edge with HSTS preload.
- LLM traffic: Routed through per-tenant API keys with budget caps. Multiple providers behind a fallback router so one outage does not take you down. Data sent to LLM providers is subject to their policies — we document which endpoints are active for each engagement.
What we do with your data
- We do not resell or repackage it. Your data is not used to train shared models, generate marketing content, or benchmark other clients.
- We isolate per-tenant. Each client in the multi-tenant Framework product runs on a dedicated VPS, dedicated Cloudflare tunnel, dedicated LLM key, dedicated budget cap.
- We keep logs for operations. Error logs, access logs, and audit trails are retained for 90 days by default. Longer retention on request, configurable per engagement.
- We hand back code and data on exit. Every engagement ends with the client owning the code, the infrastructure configuration, and their data. No platform lock-in.
Compliance posture
We are honest about what we have and have not completed. This section is updated as things change.
| Framework | Status | Notes |
|---|---|---|
| GDPR | Applicable | EU company, EU infrastructure. DPA available on request. |
| SOC 2 | Not certified | If SOC 2 is a hard requirement, say so in the first call and we will tell you whether it makes sense for the engagement. |
| ISO 27001 | Not certified | Same answer as SOC 2. |
| HIPAA / PHI | Not a fit | We do not handle US health data. If that is your domain, we are the wrong vendor. |
| Data Processing Agreement | Available | Sign on request. Standard EU contractual clauses included. |
Engineering practices
- Adversarial review before launch. Our Rescue product shipped with 26 explicit edge-case tests on the egress firewall. We do this for every security-critical surface.
- Fail-closed defaults. Egress resolvers, auth gates, and sandbox boundaries are designed to fail closed, not open. Ask us about the specific patterns.
- CSP and hardened headers. Every site we run ships with Content-Security-Policy, strict HSTS with preload, COOP, CORP, permissions-policy. This site is an example.
- Per-tenant budget caps. A runaway agent on one tenant cannot burn through another tenant's LLM budget.
Incident response
- Monitoring. Heartbeat checks across the fleet. Cron jobs that fail loudly instead of silently.
- Contact. Incident escalation goes to a monitored email and Discord channel. Exact SLA is engagement-specific.
- Post-mortems. Written. Shared with the affected client. We do not gaslight customers about outages.
What we are not
We are not a compliance shop. We do not sell certifications. We do not pretend to be a 200-person SOC-audited vendor. We are a small engineering team that ships honest AI systems for companies that need the thing to actually work. If your procurement process requires three years of audit artifacts before the first conversation, we are the wrong fit — and we would rather tell you that on day one.