Trust Center
What we have in place, what’s coming, and how to verify.
Compliance posture
In place
GDPR-aligned
Data residency in EU on request. Privacy + cookie consent live.
In place
HIPAA-ready architecture
BAA available for healthcare engagements. Encryption at rest + in transit.
In place
Built on SOC2 Type II infrastructure
Vercel (compute) and Supabase (database) are both SOC2 Type II audited. Our own studio-level SOC2 is on the roadmap.
In place
Encryption
AES-256 at rest, TLS 1.3 in transit — inherited from Vercel + Supabase.
In place
NDA + DPA
Available on request before kickoff. Mutual NDA + GDPR-compliant DPA.
In place
Vendor questionnaires
We respond to standard security questionnaires within 48 hours of request.
How we handle data
Where is client data stored?▾
Default infrastructure: Vercel (compute, multi-region) and Supabase (Postgres, regional). For EU residency we use the eu-west region; for HIPAA workloads we configure a private project in a HIPAA-supporting region.
Who has access on our side?▾
The lead engineer for your engagement and one senior team member. Access is logged and revoked on engagement end.
What happens at engagement end?▾
You receive: source code, infrastructure runbook, all documentation. We delete our copies within 30 days and provide a deletion certificate on request.
Can you sign our DPA / vendor questionnaire?▾
Yes. We respond to standard security questionnaires within 48 hours, and sign mutual NDA + GDPR-compliant DPA before kickoff.
Do you support EU/US/UAE data residency?▾
Yes. Tell us your residency requirement during discovery and we configure infrastructure accordingly — Supabase + Vercel both support multi-region.
For procurement teams
Vendor security pack with prefilled questionnaire responses. 48-hour turnaround.
Request the security pack