Skip to content
Trust Center

Our security and compliance posture

Curate-Me is the governance layer for AI workloads. Security and compliance are not features, they are the foundation. This page documents our controls, certifications, and data handling practices.

Compliance status

Achieved
GDPR Compliant
Data processing agreements in place with all sub-processors. Right to erasure, data portability, and DPA available on request.
Achieved
SOC 2 Type I
SOC 2 Type I report completed January 2026. Covers security, availability, and confidentiality trust service criteria.
In progress
SOC 2 Type II
12-month observation period started February 2026. Expected completion February 2027.
Planned
ISO 27001
Planned for H2 2026 once SOC 2 Type II observation period is complete.
Achieved
EU AI Act Ready
Compliance engine mapped to EU AI Act articles 9, 11, 12, 13, 14, 15, 26, 96. One-click remediation available for all high-risk article gaps.
Achieved
PCI DSS (via Stripe)
Payment card data never touches Curate-Me servers. All billing processed via Stripe (PCI DSS Level 1 certified).

Security controls

Controls inventory

All controls are reviewed quarterly. Status reflects the current state as of each entry's as_of date.

Encryption

Encryption at rest
All data at rest is encrypted using AES-256. MongoDB Atlas, Redis Cloud, and Hetzner VPS volumes use encryption at rest by default.
MongoDB Atlas default encryption; Hetzner LUKS volumes.
Implemented
Encryption in transit
All connections use TLS 1.2+. Caddy reverse proxy enforces HTTPS with automatic certificate renewal (Let's Encrypt).
Caddyfile TLS config in codebase.
Implemented
API key hashing
All API keys are hashed with bcrypt before storage. Plaintext keys are shown once at creation and never stored or logged.
Implemented

Access Control

Role-based access control (RBAC)
Four roles: Owner, Admin, Member, Viewer. All permissions are scoped to the org — cross-org data access is blocked at middleware.
Implemented
Multi-factor authentication (MFA)
TOTP MFA available for all dashboard users. SSO/SAML integration available for Enterprise tier customers.
auth_2fa.py in codebase; TOTP enrollment UI in dashboard.
Implemented
Multi-tenant isolation
TenantIsolationMiddleware enforces org_id scoping on every B2B API call. Gateway auth extracts org from API key; B2B API uses JWT org_id claim.
Implemented

Network Security

SSRF protection
Gateway proxy validates upstream URLs against a provider allowlist. Internal metadata endpoints, file:// URIs, and private IP ranges are blocked.
Implemented
Network firewall and private networking
Production VPS uses strict firewall rules. Database and cache ports are not exposed to the public internet. Services communicate over private networking.
Implemented

Vulnerability Management

Dependency vulnerability scanning
CI pipeline runs pip-audit (Python) and npm audit (TypeScript) on every PR. Critical CVEs block merge.
Implemented
Penetration testing
Annual penetration test by an independent third-party security firm. Most recent test: January 2026. Results available under NDA upon request.
Pen test completed Jan 2026. Report provided under NDA to enterprise prospects. Not publicly available.
Implemented

Data Controls

PII scanning on gateway requests
33 regex patterns detect API keys, passwords, emails, phone numbers, SSNs, and credit card numbers in request payloads before proxying. Optional Presidio NER integration (per-org opt-in).
Implemented
Configurable data retention
Retention windows vary by plan (7 days free to 365 days enterprise). Audit logs are retained for a minimum of 1 year on all plans.
Implemented
Data portability (owner export)
Org owners can request a full-tenant data export via the dashboard. Export is assembled by a background worker and delivered as a signed download URL (72h TTL).
Implemented
Right to erasure (owner deletion)
Org owners can request a full-tenant data deletion. A 7-day grace period applies. A SHA-256 proof record is retained for audit purposes.
Implemented

Audit & Logging

Immutable governance audit trail
27+ event types written to an append-only audit log covering every gateway request outcome, governance decision, runner lifecycle event, approval action, and key rotation.
Implemented

Compliance & Certifications

GDPR readiness
DPA available on request. Data subject rights (access, erasure, portability) supported. EU region available (Hetzner Germany/Finland). All sub-processors have signed DPAs.
Implemented
SOC 2 Type I
SOC 2 Type I report completed January 2026. Covers security, availability, and confidentiality trust service criteria. Report available under NDA upon request. Not publicly available.
Audit completed Jan 2026. Report shared under NDA only. Do not represent this as a publicly available certification.
Implemented
SOC 2 Type II
12-month observation period started February 2026. Expected completion February 2027. Not yet available.
In progress
EU AI Act readiness
Controls mapped to EU AI Act Articles 9, 11, 12, 13, 14, 15, 26, 96. Governance chain provides audit trail, human oversight, PII scanning, and record-keeping required for high-risk system operators.
Implemented
ISO 27001
Planned for H2 2026 after SOC 2 Type II observation period completes.
Roadmap item; no certification work has started.
Planned

Data handling

How we handle your data

Retention

Retention windows vary by plan: 7 days (Free) to 365 days (Enterprise) for gateway logs. Audit logs are retained for a minimum of 1 year on all plans. EU residency orgs apply shorter defaults per GDPR data minimisation.

Deletion

Account and org deletion requests enter a 7-day grace period; hard deletion is processed within 30 days of grace period expiry by the Curate-Me team. A SHA-256 proof record is kept for audit purposes. Audit logs are retained for the statutory minimum period even after deletion.

Portability

Org owners can request a full data export via the dashboard or the /api/v1/platform/data-requests/export endpoint. The export covers all org collections (excluding plaintext secrets) and is delivered as a signed download URL (72-hour TTL).

Data location

Default region: EU (Hetzner Germany and Finland). US region available on request. Data residency is configurable at the org level for Pro and above plans. All sub-processors support EU-region data placement.

PII handling

LLM request prompt and response bodies are NOT stored by default. Metadata (model, token counts, cost, org_id) is stored for billing and analytics. PII scanning detects and flags sensitive content before proxying to LLM providers. Body logging (for debugging) must be explicitly enabled and is opt-in only.

Sub-processors

Third-party sub-processors

We maintain DPAs with all sub-processors. Customers receive 30 days' notice of any sub-processor changes.

Processor
Purpose
Location
DPA
MongoDB Atlas
Privacy policy →
Primary data storage — user data, audit logs, analytics
user dataaudit logsanalyticsbilling
US / EU (region-configurable)
DPA signed
Real-time caching, rate limiting, session state
session datarate limit stateephemeral cache
US / EU (region-configurable)
DPA signed
Payment processing and subscription billing
billing datapayment methods
US (PCI DSS L1 certified)
DPA signed
Hetzner Cloud
Privacy policy →
Infrastructure hosting — application servers and managed runners
infrastructurecomputenetwork
EU (Germany / Finland)
DPA signed
Transactional email delivery
email addressesnotification content
US
DPA signed
LLM inference (when routed via gateway on org request)
llm request content
US / EU (configurable via data residency policy)
DPA signed
LLM inference (when routed via gateway on org request)
llm request content
US / EU (configurable via data residency policy)
DPA signed

Vendor assessment

Request our security questionnaire

Need a completed SIG Lite, HECVAT, or custom questionnaire? The security team will reply within one business day. You can also download the JSON questionnaire immediately from our public API.

All data on this page is also available as machine-readable JSON at /api/v1/public/trust. Last reviewed: May 2026. Contact security@curate-me.ai for the sub-processor change notification list.