Security & Compliance

Last reviewed: April 2026

EUSecureAI is designed to support organizations working with NIS2-relevant requirements. We do not claim certification, but we have built our platform around strong security principles from the ground up.

View technical security details →

Security Principles

Role-Based Access Control

Three permission levels (Member, Admin, Owner) enforced server-side on every API route.

Audit Logging

All significant actions logged with actor, timestamp, and organization context.

Rate Limiting

API endpoints protected against abuse and automated attacks.

Secure Authentication

Magic-link email authentication — no passwords stored anywhere in the system. Organisation-enforced TOTP two-factor authentication (2FA) with AES-256-GCM encrypted secrets and single-use backup codes.

Infrastructure

EU Hosting

Platform and database hosted entirely within the European Union (OVH, France).

Data Isolation

Each organization's data is fully isolated — no cross-tenant data access.

Encryption in Transit

All communication encrypted via TLS. Database connections require SSL with certificate verification.

Managed Backups

Automated daily backups managed by OVH with point-in-time recovery capabilities.

AI & Data Handling

No Cross-Organization Leakage

AI queries are scoped strictly to the requesting organization's knowledge base.

Controlled AI Usage

Organizations control which documents are available to the AI and who can query it.

AI Activity Logging

AI interactions are logged per user and organization for full traceability.

Security Documentation

Download our security documentation for due diligence and vendor assessments.

Security Overview

A summary of our security architecture, infrastructure, and data handling practices.

Download PDF

Incident Response Plan

Our documented process for detecting, containing, and recovering from security incidents.

Download PDF

Data Protection & Compliance

EUSecureAI acts as a data processor on behalf of our customers and processes personal data only as instructed. A Data Processing Agreement is available for customers who require formal GDPR documentation. Sub-processors used in the delivery of the service are disclosed transparently.

Data Processing Agreement (DPA) →Review the terms under which EUSecureAI processes personal data on your behalf.Sub-processors →See the third-party services used in the delivery of EUSecureAI.

Questions about our security posture?

Our team is happy to answer security questions for due diligence processes.

Contact security team