Security & trust
We treat security like infrastructure: there's a runbook, an audit log, and a contract you can read.
EU data residency by default
All operational data lives in EU data centres (Hetzner FRA, OVH FRA). Click events go to ClickHouse with a default 365-day retention; metadata in PostgreSQL. We do not back up to non-EU regions, ever.
Encryption everywhere
TLS 1.3 on every redirect, every API call, every dashboard request. Custom-domain certs are issued automatically by Caddy on-demand TLS. Database volumes are encrypted at rest with LUKS.
RBAC, audit log, custom roles
Four built-in roles — owner, admin, editor, viewer. Custom roles with fine-grained ABAC permissions on Business. Every mutation lands in an immutable audit log; SIEM-kind webhook endpoints can fan it out to Splunk, Datadog, or your stack.
SSO, SCIM, IP allowlist, passkeys
WorkOS-backed SAML and OIDC, SCIM directory sync, per-workspace CIDR allowlists, WebAuthn / passkey sign-in. Everything that lets you turn shadow-IT short links into managed infrastructure.
Compliance posture
GDPR DPA in the box. HIPAA BAA available on Business. SOC 2 Type II audit in progress — let us know if your procurement team needs a status letter.
Incident response
24h status page, 30-minute RPO, 1-hour RTO targets on the redirect tier. Post-mortems within 5 business days for any redirect-tier incident over 5 minutes.
Sub-processors
Short list, EU-only, kept current at /legal/subprocessors.
| Vendor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Primary hosting (Frankfurt) | EU (DE) |
| OVH SAS | Secondary hosting (Frankfurt) | EU (DE) |
| Postmark (ActiveCampaign) | Transactional email | EU (DE) servers |
| monobank Plata | Payments processing (replaced LiqPay, ADR-0026) | EU |
| WorkOS | SSO / SCIM identity proxy | EU + US |
Policies you can read
Need a security questionnaire reviewed?
We pre-fill the SIG, CAIQ, and EU Cloud CoC questionnaires — drop your form to security@elido.app and you'll have an answer within 72 hours.
Email security@elido.app