Trust & security

Built to pass procurement.

The security posture, data handling, and documents your legal team needs. All of it here, ready to read before we ever talk.

Book a discovery callJump to documents

Last updated Jun 2026

The basics

Where your data sits, and who can touch it.

Data residency
Configurable per engagement; EU/US regions available.
Encryption
In transit (TLS 1.2+) and at rest (AES-256).
Access control
Read-only during Discovery; least-privilege, scoped, time-bound thereafter. SSO/MFA on all internal access.
Sub-processors
Disclosed list, maintained and versioned. Notice before changes.
Incident response
Documented runbook; breach notification within GDPR timelines.
GDPR role
Processor. We act on your documented instructions.

Compliance

GDPR Art. 28 to 33

The four articles your DPO will ask about, and exactly how each one is covered.

ArticleHow we satisfy it
Art. 28 · Processor obligationsExecuted DPA; documented instructions; flow-down to sub-processors.
Art. 30 · Records of processingMaintained per engagement, available to your DPO.
Art. 32 · Security of processingEncryption, access control, monitoring, tested rollback.
Art. 33 · Breach notificationDefined process and contacts; notification within statutory timelines.

Standards

Certifications & roadmap

StandardStatus
GDPR processor postureLive
SOC 2 Type IIIn progress(target Q4 2026)
ISO 27001Roadmap

We don’t claim certifications we don’t hold. What you see is current.

For your review

Documents

Built to be handed real access, safely.

Need something specific for your review? Tell us what your legal team is missing and we’ll send it over.

Start with a 30-minute call.Book