Security and data residency
Last updated: 26/06/2026
We build on a simple rule: your data stays in the EU, encrypted, and you can find out exactly where. Here is what we can actually stand behind — verified, not marketing.
Where your data lives
Our website, the contact form and Minni conversations run on Supabase in Frankfurt (EU region). The database is located in the EU, and hosting (Vercel) runs on EU infrastructure.
Encryption and certification
Supabase, which runs our database, is SOC 2 Type 2 and ISO 27001 certified, with annual audits. Data and backups are encrypted with AES-256 at rest, and all traffic uses TLS 1.2 or newer in transit.
Operations, monitoring and vulnerability management
Security isn't only about where data lives, but how the service is run. In practice:
• Vulnerability scanning: code is automatically scanned for vulnerabilities and leaked secrets, dependencies are continuously monitored for known weaknesses, and a security gate in the build pipeline blocks known bad patterns before they reach production.
• Error monitoring: unexpected errors are caught by an EU-hosted error-tracking tool with personal data filtered out, so we spot problems before they affect you.
• Uptime monitoring: the service is checked externally every five minutes, with automatic alerting on downtime.
• Web application firewall (WAF): scanner and exploit traffic is blocked at the edge, and the public Minni surface is rate-limited against abuse.
• Security alerting: repeated abuse or suspicious activity triggers automatic internal alerts.
Data processing agreement
We sign a data processing agreement (DPA) on every engagement that involves personal data. For the website, we are the controller and Supabase is the processor. An up-to-date list of sub-processors is in our privacy policy.
What we don't hide
When an AI model actually processes a request — Minni uses Anthropic Claude — the processing itself happens in the US, unless it is routed through EU infrastructure. There is currently no dedicated EU region for the Anthropic models directly.
That is the one place "everything stays in the EU" is not fully true, and we would rather say it plainly than dress it up. We always flag which models and providers are involved in each engagement, so you can make an informed choice.
Read more
For details on what data we process, retention periods and your rights, see our privacy policy.