Built on infrastructure procurement can approve.

GDPR-compliant by default. Lawful basis documented per engagement. Data-processing records maintained.

DPA ready. Standard DPA template sent within 24h of request. Custom DPA negotiable for enterprise engagements.

Subprocessor list published. Vercel (hosting), Sanity (CMS), Anthropic (AI), Airtable (operational). Updated on change.

Data minimization. We only collect what's needed to deliver the engagement. No behavioral tracking in audits or the journal.

EU-region hosting. Vercel edge in Frankfurt (FRA1) / Dublin (DUB1) by default. Client data never leaves EU unless explicitly scoped otherwise.

Encryption in transit + at rest. TLS 1.3 everywhere, AES-256 at rest via provider defaults.

Backups. Daily snapshots of CMS and operational data, 30-day retention, point-in-time restore available.

Monitoring. Error, uptime, and performance monitoring via Sentry + Vercel Speed Insights. On-call rotation for production incidents.

SSO-ready. Every client surface we ship supports SSO via Okta, Auth0, or custom SAML on request.

RBAC. Role-based access control baked into every CMS and internal tool we ship. Principle of least privilege by default.

Audit logs. All content and configuration changes logged. 90-day retention standard, longer on request.

Offboarding. Credentials rotated, access revoked, data handed over within 5 business days of engagement end.

ISO 27001, not certified today. Target: begin formal process Q1 2027.

SOC 2 Type II, not certified today. Target: 2027 after ISO 27001.

Annual penetration test, independent third-party review of client-facing surfaces. Next: Q3 2026.

GDPR compliance, active. Data Protection Impact Assessment (DPIA) performed per engagement as needed.

P0 (production down): initial acknowledgment within 1 hour. Active investigation within 4 hours.

P1 (data incident): client notified within 24 hours of detection. GDPR 72-hour reporting honored.

Post-mortems: written, shared with affected clients, and incorporated into runbooks.