Trust & Privacy

Compliance Concierge is built for B2B vendor risk reviews. The same rigor we help you answer applies to us.

Hosting region

All customer data is stored on our own infrastructure in Frankfurt, Germany (Hostinger data center, self-hosted Supabase stack). We will never silently relocate your data.

Tenant isolation

Every table in our database has Postgres Row-Level Security policies enforcing that you can only read and write your own rows. Vector similarity search is additionally filtered by user id at query time — defense in depth.

Subprocessors

  • Hostinger (server hosting for our self-hosted database, auth, and file storage) — Frankfurt, Germany.
  • Mistral AI (evidence search, draft assistance & embeddings) — an EU company (Paris, France) with EU-hosted inference api.mistral.ai. Mistral does not use API customer data to train its models; only the minimum context necessary is sent.
  • Vercel (web hosting) — Functions pinned to Frankfurt (fra1) in the deployment configuration.
  • Stripe (payment processing) — handles subscription billing only. Stripe never receives your document or questionnaire data.

Data minimization

We process only what you upload: PDFs (your policies/evidence) and Excel files (your customer's questionnaire). Documents are encrypted at rest. Delete a document and the source plus all embedded chunks cascade-delete.

AI safety

AI output is treated as a review draft, not a final compliance answer. Nothing exports without explicit human review. When the uploaded documents do not provide enough support, the answer is marked as needing evidence so a reviewer must edit it manually or upload better source material.

Contact

For a Data Processing Addendum or security questionnaire of your own, email kristian.hoffmann@me.com.