Trust

We build AI agents that touch real customer data and run in production. This page describes who has access to that data, where it lives, and how we treat it.

Last reviewed 2026-04-30

Data residency

All client-portal data — Postgres rows, uploaded documents, transactional emails — is hosted on Hetzner Cloud in Falkenstein, Germany (EU). We do not replicate this data outside the EU.

AI inference happens at Anthropic. By default this is Anthropic’s US infrastructure; clients with strict residency requirements can ask us to route inference through Anthropic’s EU data-residency offering. Anthropic does not train on traffic sent through their commercial API.

Subprocessors

We use the following third parties to deliver our service. Each has a Data Processing Agreement with us. We’ll notify clients on the email address attached to their account at least 14 days before adding or replacing a subprocessor that handles personal data.

Vendor	Purpose	Data	Hosting	DPA
Hetzner Online GmbH	Application hosting, Postgres, Redis, object storage	All client-portal data at rest	Falkenstein, Germany (EU)	link
Anthropic, PBC	AI inference for deployed agents and the marketing chat widget	Prompts, model outputs, agent traces (no API training)	United States (with EU data-residency option for Claude Enterprise)	link
Resend, Inc.	Transactional email (magic-link sign-in, system notifications)	Email addresses and message bodies	United States	link
Cloudflare, Inc.	DNS, edge caching, DDoS protection	Request metadata, IP addresses	Global edge network	link

Security posture

Encryption. TLS 1.3 in transit. Postgres and object storage encrypted at rest by the host (Hetzner). Document downloads use short-lived (15-minute) signed URLs — no long-lived public links.
Authentication. Magic-link sign-in (passwordless). TOTP available for staff accounts; required for any account with administrative privileges. SSO via SAML/OIDC available on request for enterprise clients.
Access control. Every client’s data is namespaced by client ID at the database level. Membership is enforced at every server endpoint and re-checked on every signed-URL request.
Audit log. Every document and invoice access, every invitation, every MFA change writes an immutable audit row including timestamp, user, IP, and user agent. Retention: 12 months.
Compliance.We are not currently SOC 2 certified. We follow the 2026 Trust Services Criteria as our north star and will pursue formal Type II once the portal is past its first three production clients. Until then, anything we say about our controls is subject to your own verification — we’re happy to walk you through architecture, run pen-test reports past you, and answer security questionnaires.

Legal documents

Data Processing Agreement (DPA)
Article 28-compliant. We countersign on request.
Request
Master Services Agreement (MSA)
Standard MSA + per-engagement SOW. We’ll redline.
Request
Mutual NDA
Standard mutual non-disclosure for evaluation.
Request

Incident response

If we discover a security incident affecting a client’s data, we contact the named security and legal contacts on that client’s account within 24 hours of confirmation, regardless of whether disclosure is legally required. We publish post-mortems for confirmed customer-impacting incidents within 14 days of resolution. Found something we should know about? Email security@altailabs.ai.

Contact

Security: security@altailabs.ai
Privacy / DPO: privacy@altailabs.ai
Legal: legal@altailabs.ai
General sales / questions: hello@altailabs.ai