Data handling

Honest data hygiene.

We don't claim GDPR compliance, SOC2, or audited certifications. That would be misrepresentation at a one-person company. Here's what we do provide by default — included in every €2k deploy + €300-400/mo retainer.

By default

• EU residency. Per-client compute in Hetzner Falkenstein/Nuremberg/Helsinki. Per-client Postgres in Neon EU. No US sub-processor in the data path except Anthropic itself (EU API endpoint).
• Per-client isolation. Your VPS, your Postgres, your scoped API keys. No shared multi-tenant data path. One client's data cannot touch another's — by architecture.
• Retention. Raw transcripts: 90 days rolling. Extracted entities + RAG memory: life of contract. Per-contact deletion: 5050 forget --client X --contact-email Y within 7 days.
• Sub-processor transparency. Full list available on request: Anthropic, Hetzner, Cloudflare, Granola/Fathom/Gong, Prospeo, BetterContact, PredictLeads.

If you need a DPA

We don't operate as a Processor under a formal DPA at our SMB tier — that's a real obligation we can't honor sustainably at this size.

Instead: we'll build the agent for you and hand off the keys. You operate it on your infrastructure, your existing GDPR posture covers it, we don't touch your data after handoff. Typical: 3x deploy fee, no recurring.

For procurement teams that need a negotiated DPA + audit logs + pentest — that's our Enterprise tier (€50k+ separate SOW). Ask on the call.

Incidents

We commit to notifying you within 72 hours of a confirmed breach affecting your data (matches GDPR statutory window). v1 has no formal uptime SLA — we run on Hetzner's ~99.9% baseline.