← Trust Center

Certifications & Compliance Roadmap

Where Eubulia stands on formal compliance certifications today, and where we are going. We believe in honest disclosure: this page is updated as our posture evolves, and you can ask questions anytime.

Last updated: 2026-05-04 · Stage: Pre-launch alpha · Contact: hello@eubulia.eu

Current status

Eubulia has no formal third-party security certifications today. We are a solo-founder pre-launch company. Pursuing SOC 2 Type 1 + ISO 27001 before having paying customers would not produce meaningful evidence — certifications attest to processes operating over time, and we do not yet have the customer base or operational history to make those audits substantive.

What we do have is a defensible compliance posture grounded in our architecture and operational practices. We are happy to demonstrate this in detail to any prospective customer's procurement team via questionnaires, customer-led audits, or direct review.

What we have today

Defensible posture

  • GDPR-compliant architecture — see Privacy Policy and DPA
  • EU-hosted by default (Supabase + Qdrant + Render, all Frankfurt region)
  • Multi-tenant isolation via PostgreSQL Row-Level Security on 15 core tables; per-organization isolation on 35 tables
  • Bitemporal audit trail by design — every state change preserved as immutable version
  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Authentication: Supabase JWT + Google & Microsoft SSO + email allowlist
  • Customer documents stay in Customer's cloud — never copied to Eubulia servers
  • Sub-processor list maintained at /legal/sub-processors with 30-day change notification
  • DPA available on request (GDPR Art. 28)
  • 72-hour breach notification to Controller (GDPR Art. 33)
  • Per-client hard-delete tooling (GDPR Art. 17) with cascade across vector indexes and backups
  • Zero training on customer data — contractually enforced via LLM-vendor DPAs

Honest gaps

  • No SOC 2 Type 1 or Type 2 yet
  • No ISO 27001 yet
  • No formal Information Security Management System (ISMS) documented as a standalone artifact (controls live in code + this Trust Center, not in a 200-page document)
  • No penetration test report from a third-party firm yet (planned before GA)
  • No formal Disaster Recovery (DR) test conducted (we rely on Supabase managed DR; an end-to-end DR drill is planned at GA)
  • Single-person operations: the founder is currently the sole administrator. Bus-factor mitigation (key escrow, secondary admin, or acquisition by a larger entity) is part of the SOC 2 readiness work

Compliance roadmap

The order we are pursuing certifications, and why.

CertificationStatusTargetRationale
GDPR compliance Operational Continuous Architecture + DPA + sub-processor governance live since alpha-launch. Privacy Policy + DPA published.
EU-U.S. Data Privacy Framework alignment Operational Continuous Standard Contractual Clauses (SCC, Decision 2021/914/EU) in place with US sub-processors (Anthropic, OpenAI, Google). Customer can disable all non-EU processing via Settings.
CAIQ Lite responses On request 2026 Q3 We respond to Cloud Security Alliance CAIQ Lite questionnaires within 10 business days. A pre-completed master copy will be published once the first 5 procurement reviews stabilize the answers.
Penetration test (third-party) Planned Pre-GA (2026 H2) Independent security firm engagement before General Availability launch. Findings remediated and summary report shareable under NDA.
SOC 2 Type 1 Planned ~50 paying customers (estimated 2026 H2 / 2027 H1) Type 1 attests controls are designed appropriately at a point in time. We pursue this once we have ~6 months of operational history with paying customers, so the auditor sees the system actually being used.
SOC 2 Type 2 Planned ~12 months after Type 1 Type 2 attests controls operated effectively over 6-12 months. This is the certification most enterprise buyers actually require. We engage a Vanta-style continuous-compliance platform alongside the audit firm.
ISO 27001 Planned ~12-18 months after SOC 2 Type 2 ISO 27001 is the global ISMS standard, particularly important for European enterprise and public-sector buyers. We pursue it after SOC 2 because the control overlap is substantial and starting with SOC 2 builds the documentation base.
Schrems II addendum On request 2026 Q3 Sectoral addendum for customers with strict cross-border data-transfer requirements. Available on request now; standardized in the public DPA at GA.
Sovereign / on-prem deployment Roadmap 2026 H2 Deployment to Customer's own Azure EU tenant for compliance-bound clients (defense, government, regulated healthcare). See Security overview.

Why this order

The sequence is deliberate, not arbitrary:

What this means for you (today)

If you are evaluating Eubulia for use with regulated client data now:

Independent verification of substance

Even without a certification stamp, you can verify our claims directly:

Subscribe to updates

We notify customers via email when this page is materially updated (new certification achieved, roadmap change, scope expansion). Active customers are subscribed automatically; non-customers can email hello@eubulia.eu with subject "Compliance updates" to opt in.

Need a security questionnaire response?

Email hello@eubulia.eu with subject "Security questionnaire" and attach your firm's format (CAIQ, SIG Lite, Vanta Trust, your custom). We respond within 10 business days. There is no charge during alpha.