Security & Trust
All measures are part of our Terms of Service (Data Processing Addendum + TOMs, Annexes 2 and 3). This page is a summary β the full binding text is in the German Terms.
Hosting & Certifications
Entire infrastructure on Google Cloud Platform (GCP). Data centers are ISO 27001 and SOC 2 Type II certified (biometric access, video surveillance, security personnel, multi-layer perimeter security).
EU Data Location
Operated in europe-west9 (Paris) and europe-west3 (Frankfurt). Customer data and research data stay in the EU.
Encryption
In transit: TLS 1.2+/1.3. At rest: AES-256 at the GCP level. Secrets and API keys in GCP Secret Manager.
Access & Tenant Separation
Strict tenant separation between organizations. Role-based access control (RBAC). Admin access to production requires two-factor authentication and is logged.
Backups & Disaster Recovery
Daily Firestore backups, GCS versioning, daily Qdrant backups (cloud-native). Documented DR plan.
Monitoring & Protection
DDoS protection and anomaly detection via Google Cloud Armor (Adaptive Protection, WAF/OWASP CRS v3.3). Structured logging with trace IDs, central monitoring via Cloud Logging and Cloud Monitoring.
Data Processing Agreement (Art. 28 GDPR)
The DPA is part of our Terms (Part 2 β AVB). TOMs are in Annex 2, subprocessors in Annex 3.
Subprocessors
All subprocessors are based or process data in the EU. Summary (full list in Annex 3 of the Terms):
- Google Cloud EMEA Ltd. β hosting (GCP europe-west9 Paris, europe-west3 Frankfurt)
- Stripe β payment processing
- sevdesk β invoice archive & accounting
- Others β see Annex 3 of the Terms
Report a Security Incident
Suspected security incidents: security@conformi.eu. Data-protection requests: datenschutz@conformi.eu.
Full binding text in the Terms of Service (Annex 2 β TOMs, Annex 3 β Subprocessors). Open Terms