Trust Center

Trust & Security

EU-built, EU-incorporated, EU-hosted. Every artifact procurement asks for is on this page or one click away: DPA, sub-processor list, security posture, vuln disclosure. Last reviewed 21 May 2026.

Data Processing Agreement Privacy Policy Request security questionnaire

Live

GDPR / DSGVO

Live

EU data residency

In progress

ISO 27001

In progress

SOC 2 Type II

Planned

ISO 27701 (privacy)

On request

TISAX

Certifications & roadmap

Honest about where we are. Live capabilities are live. Certifications in progress are dated; planned items have target windows. No claims we cannot back up.

Item	Status	Detail
GDPR / DSGVO	Live	By design. DPA on signup. Sub-processor list public.
EU data residency	Live	Production data in Hetzner Falkenstein, Germany. Backups encrypted, replicated in-EU.
ISO 27001	In progress	Statement of Applicability drafted. Stage 1 audit targeted Q1 2027.
SOC 2 Type II	In progress	Observation window opens Q3 2026. Type II report targeted Q4 2026.
ISO 27701 (privacy)	Planned	Extension on top of the ISO 27001 ISMS. Targeted 2027 H2.
TISAX	On request	Available for automotive supply-chain customers on the Multi-Entity tier.

Technical & organisational measures (GDPR Art. 32)

The defaults we ship with, not features behind a paywall. Mirrors Annex II of the DPA.

Encryption

TLS 1.3 in transit; HSTS preload on every customer-facing domain.
AES-256 at rest (DB + object storage).
Per-object encryption keys for reporter attachments; keys in a separate KMS.
Bcrypt cost 12 for reporter secrets; Argon2id for staff where the IdP supports it.

Access control

SSO via Clerk with admin-enforceable MFA (TOTP + hardware keys).
Role-based access: admin, manager, investigator, auditor.
Per-case authorization (handlers see only assigned cases).
Quarterly access review documented in change-management.

Audit logging

Append-only audit log on every action (submission, assignment, status, AI suggestion).
Hash-chained on the application layer.
Daily export to a separate WORM bucket, 7-year retention.
Exportable as CSV/JSON for regulator inspection.

Data minimisation

Reporter IPs stripped at ingress; never persisted.
EXIF stripped from uploaded images automatically.
Free-text fields not indexed for search outside the tenant.
AI runs per-request with no retention by the sub-processor.

Resilience

Multi-AZ Postgres with synchronous EU replica.
Daily encrypted backups, 30-day retention. Restore drill at least monthly.
RTO 4 hours · RPO 1 hour for the production database.
WAF + DDoS protection at the edge (Cloudflare).

Vendor & people

Background checks for all production-access personnel.
Hardware MFA mandatory for engineering and support.
Annual security + privacy training; refresher on policy change.
Annual third-party pen test; summary available under NDA.

Sub-processors

Public list, updated whenever it changes. Customers get 30 days' notice before a new sub-processor goes live and can object. Subscribe to updates.

Sub-processor	Country	Purpose	Residency / transfer basis
Hetzner Online GmbH	🇩🇪 Germany	Application + DB hosting (Falkenstein)	EU
Cloudflare Ireland Ltd	🇮🇪 Ireland	Edge network, WAF, DDoS protection	EU termination (EU Customers data localisation)
Clerk, Inc.	🇺🇸 USA	Staff identity (sign-in, MFA)	EU residency enabled; SCCs + DPF
AWS EMEA SARL (Bedrock)	🇩🇪 Germany	LLM inference, eu-central-1	EU (Frankfurt); Zero Data Retention
Stripe Payments Europe	🇮🇪 Ireland	Billing	EU controller for card-network data
AWS EMEA SARL (SES)	🇩🇪 Germany	Transactional email (eu-central-1)	EU
Sentry GmbH	🇩🇪 Germany	Error monitoring (report content scrubbed before send)	EU

Incident response

24/7 paging on security alerts. On-call engineer responds within 15 minutes.
24-hour notification to controllers on confirmed personal data breach. GDPR Art. 33 (72h) is the legal floor; we cut it to 24.
Documented playbooks for personal data breach, account takeover, ransomware, supply-chain compromise.
Annual tabletop exercise covering at least one personal-data scenario.

Responsible disclosure

Found something? Email [email protected] with steps to reproduce. We acknowledge within 24 hours and triage within three working days. We do not threaten legal action against good-faith researchers who follow this process.

PGP key on request. We do not currently run a paid bug-bounty programme but publicly credit reporters who help us improve.

Data flows

Reporter → channel URL → Hetzner Falkenstein (DE). No IP retained.
Staff → app.confidly.eu → Clerk (EU residency) → app backend.
AI calls → AWS Bedrock eu-central-1 → ephemeral LLM inference, no retention.
Transactional email → AWS SES eu-central-1. Customer staff only; never reporters.
Backups → encrypted to a second EU region with a separate KMS key.

GDPR rights

Data subjects can exercise GDPR Articles 15-22 by emailing [email protected]. We respond within 30 days. Where we are the processor (case content), the request is routed to the customer-controller.

Supervisory authority: Estonian Data Protection Inspectorate (AKI), Tatari 39, 10134 Tallinn.