Trust, stated
plainly.
And labelled honestly.

Every row below says whether it's live, in progress, or coming. None of them oversell.

A compliance platform's own posture is the first thing worth auditing — here is ours, in one place.

Provable isolation, not promised isolation.

Every tenant's data is separated by recursion-safe row-level security — enforced in the database, not the application — and we test it adversarially: poisoned-row tests that try to leak one tenant's data into another's AI advisor, and live cross-tenant probes against the running platform. The full test transcript is available to partners under NDA.

The posture

Where your data
lives and how.

The same facts a partner repeats to their own clients — and the same rows shown inside the product, because there is only one truth to tell.

Hosting & residencyData stored in EU-Frankfurt (Supabase — database, auth, evidence files); application compute pinned to Frankfurt. Delivery uses our host's global network in transit — detailed in the DPA.live
EncryptionTLS in transit, AES-256 at restlive
Tenant isolationDatabase-enforced row-level security, adversarially tested (poisoned-row + live cross-tenant probes); full test transcript under NDAlive
Evidence vaultPrivate per-tenant storage; short-lived signed links; files never move a scorelive
Append-only recordsImmutable audit log + frozen readiness baselines — no edit or delete path exists, enforced in the databaselive
Honest AIThe advisor cites the binding article or abstains; it never says “compliant”; AI-generated output is labelled (our own EU AI Act Art. 50 duty, applied to ourselves)live
Data Processing AgreementArt. 28 DPA available on request, with the sub-processor list belowlive
Independent penetration testScheduled on the launch track — completed before the first partner book goes live at scalecoming
ISO 27001Organisational certification — begins with our first major partner engagementcoming
MFA & SSOMulti-factor and SAML/OIDC sign-incoming
Sub-processors

Who touches
what.

The complete list — short on purpose. Each processes only what its row says, under a data-processing agreement.

SupabaseDatabase, authentication, evidence storage — EU (Frankfurt)infrastructure
VercelApplication hosting and deliveryinfrastructure
AnthropicPowers the grounded advisor — receives assessment context only, never your evidence filesai advisor
StripePayments — card details never touch Klariad's serversbilling

changes to this list are published on this page before they take effect →

Your rights

Leave freely,
take everything.

Your answers, evidence files, scores, records and audit history export in open formats whenever you ask — subscriber or not. A trust page that needed a retention clause to keep you wouldn't be one.

Questions, the DPA, or the isolation test transcript: trust@klariad.eu. A founder answers, not a funnel.