← Trust Center
Certifications & Compliance Roadmap
Where Eubulia stands on formal compliance certifications today, and where we are going. We believe in honest disclosure: this page is updated as our posture evolves, and you can ask questions anytime.
Last updated: 2026-05-04 · Stage: Pre-launch alpha · Contact: hello@eubulia.eu
Current status
Eubulia has no formal third-party security certifications today. We are a solo-founder pre-launch company. Pursuing SOC 2 Type 1 + ISO 27001 before having paying customers would not produce meaningful evidence — certifications attest to processes operating over time, and we do not yet have the customer base or operational history to make those audits substantive.
What we do have is a defensible compliance posture grounded in our architecture and operational practices. We are happy to demonstrate this in detail to any prospective customer's procurement team via questionnaires, customer-led audits, or direct review.
What we have today
Defensible posture
- GDPR-compliant architecture — see Privacy Policy and DPA
- EU-hosted by default (Supabase + Qdrant + Render, all Frankfurt region)
- Multi-tenant isolation via PostgreSQL Row-Level Security on 15 core tables; per-organization isolation on 35 tables
- Bitemporal audit trail by design — every state change preserved as immutable version
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Authentication: Supabase JWT + Google & Microsoft SSO + email allowlist
- Customer documents stay in Customer's cloud — never copied to Eubulia servers
- Sub-processor list maintained at /legal/sub-processors with 30-day change notification
- DPA available on request (GDPR Art. 28)
- 72-hour breach notification to Controller (GDPR Art. 33)
- Per-client hard-delete tooling (GDPR Art. 17) with cascade across vector indexes and backups
- Zero training on customer data — contractually enforced via LLM-vendor DPAs
Honest gaps
- No SOC 2 Type 1 or Type 2 yet
- No ISO 27001 yet
- No formal Information Security Management System (ISMS) documented as a standalone artifact (controls live in code + this Trust Center, not in a 200-page document)
- No penetration test report from a third-party firm yet (planned before GA)
- No formal Disaster Recovery (DR) test conducted (we rely on Supabase managed DR; an end-to-end DR drill is planned at GA)
- Single-person operations: the founder is currently the sole administrator. Bus-factor mitigation (key escrow, secondary admin, or acquisition by a larger entity) is part of the SOC 2 readiness work
Compliance roadmap
The order we are pursuing certifications, and why.
| Certification | Status | Target | Rationale |
| GDPR compliance |
Operational |
Continuous |
Architecture + DPA + sub-processor governance live since alpha-launch. Privacy Policy + DPA published. |
| EU-U.S. Data Privacy Framework alignment |
Operational |
Continuous |
Standard Contractual Clauses (SCC, Decision 2021/914/EU) in place with US sub-processors (Anthropic, OpenAI, Google). Customer can disable all non-EU processing via Settings. |
| CAIQ Lite responses |
On request |
2026 Q3 |
We respond to Cloud Security Alliance CAIQ Lite questionnaires within 10 business days. A pre-completed master copy will be published once the first 5 procurement reviews stabilize the answers. |
| Penetration test (third-party) |
Planned |
Pre-GA (2026 H2) |
Independent security firm engagement before General Availability launch. Findings remediated and summary report shareable under NDA. |
| SOC 2 Type 1 |
Planned |
~50 paying customers (estimated 2026 H2 / 2027 H1) |
Type 1 attests controls are designed appropriately at a point in time. We pursue this once we have ~6 months of operational history with paying customers, so the auditor sees the system actually being used. |
| SOC 2 Type 2 |
Planned |
~12 months after Type 1 |
Type 2 attests controls operated effectively over 6-12 months. This is the certification most enterprise buyers actually require. We engage a Vanta-style continuous-compliance platform alongside the audit firm. |
| ISO 27001 |
Planned |
~12-18 months after SOC 2 Type 2 |
ISO 27001 is the global ISMS standard, particularly important for European enterprise and public-sector buyers. We pursue it after SOC 2 because the control overlap is substantial and starting with SOC 2 builds the documentation base. |
| Schrems II addendum |
On request |
2026 Q3 |
Sectoral addendum for customers with strict cross-border data-transfer requirements. Available on request now; standardized in the public DPA at GA. |
| Sovereign / on-prem deployment |
Roadmap |
2026 H2 |
Deployment to Customer's own Azure EU tenant for compliance-bound clients (defense, government, regulated healthcare). See Security overview. |
Why this order
The sequence is deliberate, not arbitrary:
- GDPR first. EU consultants serving EU clients live and die by GDPR. We architected for it from day one.
- Penetration test before SOC 2. A clean pen-test report is required as evidence in any SOC 2 audit. Doing it as a standalone exercise first means we remediate quietly, then audit cleanly.
- SOC 2 before ISO 27001. Both certify similar things. SOC 2 is faster (~6-9 months end-to-end), cheaper (~€15-30K vs €25-50K), and more readable for the consulting buyer (single report vs ISMS documentation set). Documents prepared for SOC 2 carry over to ISO 27001 with ~70% reuse.
- Sovereign deployment alongside SOC 2. Certain regulated buyers won't ever use a managed-multi-tenant service regardless of certification. Sovereign-deployment-mode is a parallel track, not a substitute for certification.
What this means for you (today)
If you are evaluating Eubulia for use with regulated client data now:
- Most consulting work fits. Standard professional consulting (transformation, strategy, programme management) for non-sectoral clients is well-served by our current GDPR-compliant + EU-hosted posture + DPA.
- Healthcare / financial services / public sector: Your client may require SOC 2 / ISO 27001 from your tools as part of their procurement chain. We can:
- Provide CAIQ Lite responses + a security questionnaire response within 10 business days
- Sign Customer-specific addenda (Schrems II, additional security controls)
- Discuss sovereign deployment (Customer's own Azure EU tenant) as a roadmap item
- Defense / government: Wait for sovereign-deployment readiness (2026 H2). Standard managed multi-tenant service is unlikely to clear procurement at this tier.
Independent verification of substance
Even without a certification stamp, you can verify our claims directly:
- EU-only mode test: set GDPR-mode to "EU-only" in Settings — Eubulia routes 100% to Mistral EU. Verifiable in your Settings → Usage → router log.
- RLS verification: we run an automated RLS audit (`npm run audit:rls`) before each prod deploy. Latest report available on request.
- Customer-led audit: per DPA Section 10, you may conduct an audit with 30 days' notice.
- Architecture transparency: our public Trust Center, sub-processor list, and roadmap (this page) are intentionally specific. Hand-waving is not a strategy.
Subscribe to updates
We notify customers via email when this page is materially updated (new certification achieved, roadmap change, scope expansion). Active customers are subscribed automatically; non-customers can email hello@eubulia.eu with subject "Compliance updates" to opt in.
Need a security questionnaire response?
Email hello@eubulia.eu with subject "Security questionnaire" and attach your firm's format (CAIQ, SIG Lite, Vanta Trust, your custom). We respond within 10 business days. There is no charge during alpha.