Trust
The receipts: compliance, sub-processors, threat model.
Everything we share with prospects under NDA, also published here.
Compliance
What we have and what's in flight.
GDPRDPA on requestSub-processor list publicSOC 2 Type I · Q3 2026SOC 2 Type II · Q1 2027ISO 27001 · Q4 2026PCI-DSS SAQ-A · Q3 2026
Sub-processors
The vendors we rely on.
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Compute, network, storage | EU (Germany, Finland) |
| Cloudflare, Inc. | DNS + WAF (edge) | Global (EU termination) |
| Stripe Payments Europe Ltd. | Billing | EU (Ireland) |
| Sentry GmbH | Error monitoring | EU |
| PostHog (HogQL) — self-hosted | Product analytics | EU (fra1) |
Threat model
What we think will go wrong, and what we do about it.
Our threat model is published on GitHub. It is updated quarterly. The summary:
- Customer code is untrusted. Cross-tenant escape is the primary threat.
- SSH access is short-lived, CA-signed, and audited end-to-end.
- The control plane never has direct write access to customer file systems; provisioning is gated by Temporal workflows with idempotency keys.
- Secrets live in SOPS-encrypted files in git, with two recipients (dev + prod).
- Postgres is bound to a private IP only; reached via SSH tunnel for ops.
Request a DPA
Need contracts before you sign up?
DPA, security questionnaire, evidence pack — we send them within one business day.