Security & Data Protection
Built for compliance professionals who handle sensitive regulatory documents. Your data stays in the EU, is encrypted at every layer, and is never used to train AI models.
EU Data Residency
- All data is processed and stored exclusively within the European Union.
- Infrastructure runs in Frankfurt, Germany (eu-central-1) — no data leaves the EU.
- Analytics are consent-gated — no tracking without your explicit permission.
AI Processing
- AI analysis runs on enterprise AI infrastructure in the EU with contractual guarantees against model training on your data.
- Your documents and queries are never used to train AI models.
- Uploaded documents are processed in-memory — only the analysis output is saved to your account.
Encryption
- All data encrypted in transit (TLS 1.2+).
- All data encrypted at rest (AES-256).
- Security headers enforced: Content Security Policy, HSTS with preload, X-Frame-Options DENY, X-Content-Type-Options nosniff.
Access Control
- Row-level access controls ensure complete data isolation between users.
- All API endpoints require authenticated sessions.
- Rate limiting on query and document upload endpoints.
- Payment processing via Stripe (PCI DSS Level 1) — we never see or store your card details.
Your Rights (GDPR)
- Delete your account at any time via Settings — all data is permanently removed.
- Export your data in JSON format via Settings — includes your profile, reports, watchlist, and feedback.
- Cookie consent required before any analytics or tracking.
- Full privacy policy at /legal/privacy. Data Processing Agreement at /legal/dpa.
Subprocessors
We use the following third-party providers to deliver our service. All process data within the EU.
| Provider | Purpose | Data Location |
|---|---|---|
| AWS | AI processing, knowledge base infrastructure | Frankfurt, Germany |
| Supabase | Authentication, database | EU region |
| Vercel | Website hosting, edge functions | EU edge network |
| Stripe | Payment processing | EU (PCI DSS Level 1) |
| PostHog | Product analytics (consent-gated) | EU instance |
Compliance Roadmap
- Penetration testing — planned for Q3 2026.
- SOC 2 Type II — evaluation planned for 2027.
- We continuously monitor dependencies for known vulnerabilities and apply patches promptly.
Contact
- Security concerns: security@financialregulations.eu
- Privacy questions: privacy@financialregulations.eu
AI-generated output — not legal advice. Verify independently.