Trust & security
The short version of how AccessiProof handles your data, where it lives, who can touch it, and the paperwork your client's procurement team will want to see before you roll us into an agency retainer.
EU-first hosting · Article 28 DPA · 72h breach commitment
How we handle your data, in plain language
EU-first hosting by default
The Postgres database (Neon) runs in Frankfurt, Germany. The scanner worker runs on a Hetzner VPS in Germany. The Next.js app is served by Vercel's EU edge with a fallback to US regions for static assets.
Customer data — scan results, issues, reports — stays in the EU.
Encryption in transit and at rest
TLS 1.2+ on every connection between the browser, the app, the scanner, and the database. Data at rest is encrypted by the underlying cloud providers (Neon, Vercel, Hetzner disk-level).
Default posture for every provider in our stack.
Tokenised report sharing
Reports are accessed via opaque 32-character tokens at /reports/[token]. Each link is unique per report and can be revoked from the dashboard in one click — rotating the token invalidates the old link immediately. Reports stay unreachable until you explicitly publish them.
Article 28 GDPR DPA
A baseline Data Processing Addendum is published and applies automatically to every paid audit and monthly monitoring subscription. Countersigned copies are available on request for procurement teams.
Covers sub-processor obligations, SCCs Module 2/3, 30-day prior notice, and Annex A TOMs.
72-hour breach commitment
If we become aware of a personal data breach affecting customer data, we notify affected customers within 72 hours under GDPR Art. 33, and directly notify data subjects under Art. 34 where the breach is likely to result in a high risk to their rights.
Honest AI boundaries
Claude (Anthropic) is used to accelerate report writing — executive summaries, remediation copy, risk examples. AI never issues compliance determinations. Only aggregated findings are sent to the model — no end-user personal data or customer account data.
Full detail in our Privacy Policy, Section 9.
Six providers, six contracts
Every vendor in our stack has a signed DPA. US-based processors additionally sit under EU Standard Contractual Clauses (Decision 2021/914). The full list — with the legal basis for each transfer — lives at /legal/subprocessors.
| Provider | Purpose | Location | Transfer basis |
|---|---|---|---|
| Vercel Inc. | Web app hosting + Analytics + Speed Insights (cookie-less) | United States (EU edge serves EU users) | SCCs Module 3 (P2P) |
| Neon Inc. | Postgres database (customer records, scans, reports) | Frankfurt, Germany | Within the EEA |
| Hetzner Online GmbH | Scanner worker VPS (Playwright + axe-core) | Germany | Within the EEA |
| Stripe Payments Europe / Stripe, Inc. | Card payments, invoicing, recurring billing | Ireland + United States | SCCs Module 2 (C2P) |
| Resend, Inc. | Transactional email (report links, receipts) | United States | SCCs Module 2 (C2P) |
| Anthropic PBC | Claude API (accelerates internal report production) | United States | SCCs Module 2 (C2P) |
We notify customers at least 30 days before adding a new sub-processor so you can object in time.
How we actually run the service
The short form. The full list — with GDPR Art. 32 framing — sits in Annex A of the Data Processing Addendum.
Access control
Single-account model for the operator dashboard with strong password requirements and session cookies scoped to the admin domain. No shared credentials.
Logging & audit
Every scan run, report publish, and data export is logged. Logs are retained for 90 days and reviewed on suspicion of misuse.
Data minimisation
We only collect what the scan requires: the site URL, the pages discovered, the issues detected, and the contact email for delivery. No first-party cookies, no tracking pixels, no profiling.
Network security
The scanner VPS sits behind a firewall restricted to the app's outbound webhook origin. The Neon database is reachable only from the app's serverless functions via a pooled connection.
Backup & recovery
Neon provides point-in-time recovery up to 7 days for the database. Source code is versioned on GitHub. No customer-data backups leave the EU.
Vendor due diligence
Every sub-processor in the stack was selected with a signed DPA and — for US-based processors — SCCs in place. The full list is published and customers get 30 days' notice of any change.
Supply-chain hygiene
Dependency updates land through GitHub with CI type-checks and linting before merge. No third-party JavaScript ships to end-user report viewers other than first-party code and Vercel Analytics.
Business continuity
The scanner worker is stateless and can be redeployed to a new VPS within an hour. The database runs on Neon with built-in high availability.
What we're not (yet)
We'd rather tell you now than dodge it in a questionnaire.
- No SOC 2 or ISO 27001 yet. We're a young service. If your procurement process treats one of these as a hard blocker, we won't pass today — but the underlying controls we operate are the ones those audits evaluate. We can walk a security team through them on request.
- No customer-facing SSO or SAML. Report access is token-based; operator access is single account. If you need SSO for a customer-portal product, we don't have it yet.
- No bug-bounty programme. We welcome responsible disclosure at office@accessiproof.com and respond within 72 hours, but we do not pay bounties at this stage.
Need a deeper review?
If your client's procurement or security team needs a questionnaire filled in, a countersigned DPA, or a call with us to walk through the stack, send it over. We usually turn these around within two business days.