Trust Center

Your trust, documented.

Everything your legal, security and procurement team needs — in one place, no forms.

At a glance

GDPR-proof by design — DPA included in every plan
EU-hosted only: Frankfurt (Supabase) + Amsterdam (TransIP)
AES-256 at rest, TLS 1.2+ in transit
AES-256-GCM for customer API keys (BYOK)
Multi-tenant isolation via Supabase Row Level Security
Zero AI training on customer data
48-hour breach notification commitment
B2B only — no consumer data processing

Data Processing Agreement (DPA)

Our Article 28 GDPR Data Processing Agreement is included in every plan and pre-accepted upon signing our Terms. Download the current version for your legal team.

View DPAVersion 1.1 · Last updated 23 April 2026

Sub-processors

Sub-processorPurposeLocation

SupabaseDatabase, auth, file storageFrankfurt, DE

TransIP B.V.VPS for LiteLLM proxyAmsterdam, NL

Vercel, Inc.Frontend + edge computeEU edge

LettermintTransactional emailEU

Stripe Payments EuropePayments + Stripe TaxDublin, IE

We notify all customers at least 30 days before adding or replacing any sub-processor.

Full list with contract terms →

Infrastructure

Application hostingVercel EU edge network

Database + auth + storageSupabase — Frankfurt, Germany (EU)

LLM proxy + budget enforcementLiteLLM on TransIP VPS — Amsterdam, Netherlands (EU)

Email deliveryLettermint (EU)

PaymentsStripe + Stripe Tax — Dublin, Ireland (EU)

Data residencyNo customer data leaves the EEA under any circumstance

Security measures

Encryption at restAES-256 (data), AES-256-GCM (API keys)

Encryption in transitTLS 1.2+ on all connections

AuthenticationEmail + TOTP MFA (mandatory)

Access controlLeast-privilege, role-based, multi-tenant RLS

BackupsDaily encrypted, point-in-time recovery, 30-day retention

MonitoringVercel observability

Vulnerability scanningDependabot, CodeQL

Target RTO4 hours

Target RPO24 hours

BYOK & LLM providers

Under our Bring Your Own Key model, customers maintain a direct relationship with each LLM provider (OpenAI, Anthropic, Google, Mistral) through their own API keys. LLM providers are not Custos sub-processors.

Customer API keys are encrypted with AES-256-GCM and decrypted only in memory at the moment of use — never logged, never visible to Custos staff.

Incident response

We commit to notifying affected customers within 48 hours of becoming aware of a security incident involving their personal data, as required by Article 33 GDPR.

Incident log

No incidents reported to date. This section will be updated transparently when any incident occurs, following the timeline set out in our DPA.

Security researchers can report vulnerabilities to . We respond within 48 hours and credit responsible disclosures in our changelog.

Contact & legal

Legal + DPA requests

Privacy requests

Security disclosures

CompanyAlpha Digital B.V. · KvK 72313129 · Stationsplein 26, 6512 AB Nijmegen, NL