EU-compliant by default. Not as an add-on.
SmartDataTwin is built for GDPR duty as a mid-market platform — not bolted on. Hosted in Frankfurt, DPAs at onboarding, zero-retention with LLM vendors, seven-year audit log.
What we build on.
- 01
Data sovereignty
All data in the EU (Frankfurt). Supabase Postgres + Hetzner Cloud + Hetzner Object Storage as backup.
- 02
Multi-tenancy
One database, tenant isolation via `org_id` and Postgres Row-Level Security. Defense in depth.
- 03
LLM processing
Anthropic with zero-retention option. OpenAI Enterprise with EU region. Mistral natively EU.
- 04
Encryption
TLS 1.3 in transit. AES-256 at rest. Sensitive fields per-tenant-keyed in `pgcrypto`.
- 05
Audit trail
Every action emits an event with actor, time, before/after. 7-year retention.
- 06
Right of access
GDPR export via /api/dsgvo/export, deletion via /api/dsgvo/delete. Pure Postgres.
Roles & permissions.
Four roles out of the box
`org_admin`, `manager`, `employee`, `external`. Per entity × action fine-grained.
Inheritance over site hierarchy
Permissions automatically apply to sub-sites. Cuts maintenance dramatically.
Sensitive fields protected
Pay, sick leave, HR files require an extra permission bit. Audit mandatory.
Voice data — handled deliberately.
For voice and phone modules: explicit consent before any recording. Storage exclusively EU. Retention configurable — default 90 days.
Certification roadmap.
- Phase 2
External penetration test. First pilot customers live.
- Phase 3
TISAX (if workshop customers). GDPR audit.
- Phase 4
SOC 2 Type 1 prep (from ~10 customers).
- Phase 5
ISO 27001 (from ~25 customers, > €1M ARR).