Last updated: 11 May 2026
Trust Center
Transparency about how ELLYTIC Technologies UG (haftungsbeschränkt) protects your data, the standards we comply with, the regions where we process data, and how we communicate updates and incidents.
01Compliance Status
Overview of regulatory and industry standards. We commit to transparent reporting — including roadmap items not yet achieved.
| Standard | Status | Note |
|---|---|---|
| EU GDPR (DSGVO) | Compliant | Since: 2024-Q3 |
| eIDAS (QES via YouSign) | Compliant | Since: 2025-Q2 |
| GoBD (10y Object Lock) | Compliant | Since: 2024-Q4 |
| PCI-DSS SAQ-A | Self-assessed | Since: 2026-Q3 |
| ISO 27001 | Roadmap | Target: 2027-Q2 |
| ISO 27701 | Roadmap | Target: 2027-Q3 |
| SOC 2 Type II | Evaluating | |
| C5 (BSI) | Not planned |
02Data Residency
All operational data is stored within the European Union, primarily in Frankfurt (eu-central-1). US-based providers are bound by EU Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework.
| Service | Provider | Region |
|---|---|---|
| Application Hosting | Vercel | FRA1 (Frankfurt) |
| Production Database | Neon | eu-central-1 (Frankfurt) |
| Document Storage | AWS S3 | eu-central-1 (Frankfurt) |
| Invoice Storage (Object-Lock 10y) | AWS S3 | eu-central-1 (Frankfurt) |
| Error Monitoring | Sentry | EU DSN |
| Email Transactional | Resend | EU + US (DPF + SCCs) |
| Newsletter & SMS | Brevo | DE + FR |
| Electronic Signatures | YouSign | France |
| Booking | Cal.com | EU |
03Security Practices
- AES-256 encryption at rest for all customer data (databases and document storage)
- TLS 1.3 in transit for all network communication
- Multi-Factor Authentication enforced for all internal accounts
- Role-Based Access Control with strict tenant isolation in multi-tenant systems
- WebAuthn/FIDO2 passkey support for customer accounts
- S3 Object-Lock COMPLIANCE mode for GoBD-relevant documents (10-year retention)
- Comprehensive audit logging for workflow, payment, and document operations
- Automatic PII scrubbing in error telemetry and observability pipelines
04Subprocessors
We publish a complete list of third-party subprocessors processing personal data on our behalf, including their purpose, location, and applicable safeguards.
View Subprocessor List →05Documents & Resources
Public-facing legal and compliance documentation. Specific assets (DPA, Security Whitepaper) are available on request.
06Recent Updates
- 2026-05-11Subprocessor List expanded with AWS S3 (Infrastructure), Sentry (Monitoring), and Cal.com (Booking).
- 2026-05-11Privacy Policy and Data Protection pages merged for clarity. Single canonical URL at /legal/privacy.
- 2026-05-11OpenAI Data Processing Addendum signed under OpenAI Ireland Ltd.
- 2026-04-21Database environment variables restructured for stricter production/staging separation.
07Contact
- Privacy & GDPR: privacy@ellytic.com
- Security & Vulnerabilities: security@ellytic.com
- Legal & Contracts: legal@ellytic.com