Your data stays yours.
We built Custos AI for businesses that care about data security. That means EU servers, strong encryption, zero AI training on your data, and GDPR compliance built in from day one — not bolted on later.
AES-256 encryption at rest
All data stored in our database and file storage is encrypted using AES-256. API keys use AES-256-GCM and are decrypted only in memory at the moment of use — never written to logs.
TLS 1.2+ in transit
All data transmitted between your browser and our servers is protected by TLS 1.2 or higher. No unencrypted connections are accepted.
EU-hosted — Frankfurt + Amsterdam
All customer data is stored exclusively on EU servers: database and files in Frankfurt (Supabase), LLM proxy in Amsterdam (TransIP). No data is transferred outside the EEA.
Zero AI training on your data
Your chat messages, uploaded files and API usage are never used to train, fine-tune or improve any AI model — by Custos AI or any LLM provider we connect to.
Daily encrypted backups
Automated daily backups with 30-day retention and monthly restore tests. Target recovery time objective: 4 hours.
GDPR-compliant by design
Full Article 28 GDPR Data Processing Agreement available on all plans. Sub-processor list published and maintained. 48-hour breach notification commitment.
Infrastructure
Sub-processors
Report a vulnerability
If you discover a security vulnerability in our platform, please report it responsibly. We aim to respond within 48 hours and will credit researchers in our changelog.