Trust & Security

    Processor-side controls for the LandingRed platform. Procurement, legal, and compliance teams can answer their pre-NDA checklist here without contacting support.

    Last reviewed: 2026-06-02

    Data Processing Agreement (DPA)

    A v1.0 GDPR Art. 28-compliant DPA template is available on request (privacy@landingred.com). Annex A captures the per-customer scope; Annex B describes the technical and organisational measures listed below; Annex C lists the current sub-processors. Italian-language sibling available.

    Sub-processors

    30-day pre-change notice committed via DPA §6.3. Tenants can object within the notice period; unresolved objections terminate the affected processing.

    Sub-processorPurposeLocationTransfer mechanism
    Hetzner Online GmbHPrimary hosting (EU)Germany / FinlandGDPR-native (intra-EEA)
    Anthropic, PBCLLM provider (own-key tier)United StatesSCCs Module 2
    OpenAI, OpC, LLCLLM provider (own-key tier)United StatesSCCs Module 2
    Brevo SASTransactional emailFranceGDPR-native (intra-EEA)
    Functional Software, Inc. (Sentry)Error trackingUnited StatesSCCs Module 2

    Technical & Organisational Measures (Art. 32)

    Concrete controls implementing GDPR Art. 32 + ISO 27001 Annex A. Each row points at a real code reference; auditors can validate via the externally-shared AuditLog export.

    • Encryption at rest
      AES-256 (Hetzner infra) + per-field Fernet for sensitive secrets (core/encryption.py)
    • Encryption in transit
      TLS 1.2+ on all endpoints; HSTS pre-load eligible
    • Authentication
      PBKDF2/Argon2 password hashing + TOTP MFA (django_otp) + SAML SSO (Enterprise)
    • Authorization
      Row-level tenant isolation via TenantAwareManager (1,318 LoC of dedicated isolation tests)
    • Audit trail
      Append-only AuditLog with DB-level immutability (10-year retention floor for AI-Act-scoped rows)
    • Backups
      Daily pg_dump + 7-day rolling on-host retention + pre-deploy snapshots
    • Incident response
      Documented runbook (docs/deploy-recovery.md) + 72h breach-notification commitment in DPA §6.6

    Vendor Certifications

    Readiness matrices for ISO 27001, SOC 2, and ISO 42001 are maintained internally; certification engagements are scheduled per the published roadmap. Letters of attestation available under NDA.

    • ISO 27001:2022
      Readiness matrix maintained; certification roadmap on file
    • SOC 2 Type II
      Readiness matrix maintained; Type I assessment scheduled
    • ISO 42001:2023 (AI Management System)
      Readiness matrix (38 Annex A controls + 7 clauses); first-mover certification track

    Vulnerability Disclosure

    We follow RFC 9116. The machine-readable contact + Encryption metadata is served at /.well-known/security.txt. Coordinated disclosure: report to security@landingred.com; we acknowledge within 24h.

    Contact

    For procurement questions, DPAs, or security inquiries: privacy@landingred.com. For vulnerability reports, see the dedicated section below + our RFC 9116 /.well-known/security.txt endpoint.