Our security and compliance posture
Curate-Me is the governance layer for AI workloads. Security and compliance are not features, they are the foundation. This page documents our controls, certifications, and data handling practices.
Compliance status
Security controls
Controls inventory
All controls are reviewed quarterly. Status reflects the current state as of each entry's as_of date.
Encryption
Access Control
Network Security
Vulnerability Management
Data Controls
Audit & Logging
Compliance & Certifications
Data handling
How we handle your data
Retention windows vary by plan: 7 days (Free) to 365 days (Enterprise) for gateway logs. Audit logs are retained for a minimum of 1 year on all plans. EU residency orgs apply shorter defaults per GDPR data minimisation.
Account and org deletion requests enter a 7-day grace period; hard deletion is processed within 30 days of grace period expiry by the Curate-Me team. A SHA-256 proof record is kept for audit purposes. Audit logs are retained for the statutory minimum period even after deletion.
Org owners can request a full data export via the dashboard or the /api/v1/platform/data-requests/export endpoint. The export covers all org collections (excluding plaintext secrets) and is delivered as a signed download URL (72-hour TTL).
Default region: EU (Hetzner Germany and Finland). US region available on request. Data residency is configurable at the org level for Pro and above plans. All sub-processors support EU-region data placement.
LLM request prompt and response bodies are NOT stored by default. Metadata (model, token counts, cost, org_id) is stored for billing and analytics. PII scanning detects and flags sensitive content before proxying to LLM providers. Body logging (for debugging) must be explicitly enabled and is opt-in only.
Sub-processors
Third-party sub-processors
We maintain DPAs with all sub-processors. Customers receive 30 days' notice of any sub-processor changes.
Vendor assessment
Request our security questionnaire
Need a completed SIG Lite, HECVAT, or custom questionnaire? The security team will reply within one business day. You can also download the JSON questionnaire immediately from our public API.
All data on this page is also available as machine-readable JSON at /api/v1/public/trust. Last reviewed: May 2026. Contact security@curate-me.ai for the sub-processor change notification list.