Trust & Security
Security for the people who get audited.
Horizon Scanner is built for compliance teams at European financial institutions — so it is held to the standards they are held to. EU-hosted only, encrypted in transit and at rest, strictly tenant-isolated, and audit-trail-ready by default. We process publicly published regulatory documents — never your end-customers' data.
- EU / EEA
- Data residency — hosted in the EU only
- TLS 1.2 / 1.3
- Encrypted — in transit and at rest
- 5 years
- Immutable audit trail, exportable any time
- 0
- End-customer records we process
How we protect data
The measures below are live today — not statements of intent.
Data residency
Hosting exclusively on European cloud infrastructure; the public website runs in Vercel's Frankfurt region. Customer data stays within the EU/EEA. The AI models that score documents (US-based) receive only publicly published regulatory text — never personal or customer-confidential data — under EU Standard Contractual Clauses.
Encryption
Every endpoint is served over TLS 1.2/1.3. Data is encrypted at rest. Backups are taken regularly and versioned.
Access & tenant isolation
Role-based access control throughout. Strict tenant separation: no shared database access between customer accounts. Sign-in is passwordless — device passkeys or magic links — so there are no shared or reused passwords to leak.
The audit trail
Every action — fetch, relevance verdict, change detection, classification, validation, routing, reviewer confirmation — is recorded immutably with a timestamp and an actor. Default retention is five years (configurable). Export any time window or finding bundle to CSV or JSON. This is the evidence that answers a supervisor's questions in minutes, not weeks.
Data minimisation
We collect only what operating the service requires: B2B account data (name, work email, role). We hold no personal data of your end-customers, and we never send personal data to any AI model — only public regulatory documents are processed.
AI governance (EU AI Act)
We deploy AI models, we don't build them — so under the EU AI Act we are a Deployer (Art. 26). Self-assessed as not high-risk (Art. 6(4)): we score documents, not people. AI scores are decision support with a human in the loop, machine-generated output is labelled in the dashboard (Art. 50(4)), and there is no automated decision-making about users (Art. 22). The tool that watches the regulators is itself built to the rules it tracks.
Sub-processors
We engage the following processors under Art. 28 GDPR, each under a data-processing agreement. A current list is part of our DPA.
| Provider | Purpose | Region | Transfer basis |
|---|---|---|---|
| EU cloud hosting | Application hosting + database | EU / EEA | DPA (Art. 28) |
| Vercel Inc. | Public-site hosting, cookieless analytics | USA (HQ) · EU region Frankfurt | EU-US DPF (Art. 45) + DPA |
| Email provider | Delivery of alert emails | EU | DPA |
| Google (Gemini API) | Document scoring — public text only | USA | SCCs (Art. 46(2)(c)) |
| Groq | Scoring fallback | USA | SCCs |
| MiniMax | Independent second-pass verification | — | SCCs + TIA |
On our roadmap
We're transparent about what we have and what we're still building. The measures above are live today; our technical and organisational measures are documented per Art. 32 GDPR. The following are in progress, not yet achieved:
- ISO 27001 certification — in progress (targeted for year two). We are not yet ISO 27001 certified.
- SOC 2 Type II readiness — in progress.
We don't claim a certification we don't hold. The moment an audit is complete, it appears here, dated.
Security FAQ
Where is our data hosted?
On European cloud infrastructure, within the EU/EEA. The public website runs in Vercel's Frankfurt region.
Is any of our data sent to AI models?
No personal or customer-confidential data. The AI models that score regulatory documents receive only publicly published regulator text — under EU Standard Contractual Clauses.
Can we sign a DPA?
Yes. Under Art. 28 GDPR you are the controller and we are the processor; a data-processing agreement is available — request it with your demo.
How long is the audit trail kept, and can we export it?
Five years by default, configurable to your internal policy. Export any time window to CSV or JSON on every tier.
Are you a high-risk AI system under the EU AI Act?
No. We operate as a Deployer (Art. 26) and self-assess as not high-risk (Art. 6(4)) — we score documents, not natural persons.
Due-diligence-ready from day one.
Request our security pack and DPA with your demo — or read the full privacy notice.