Elido
Trust Center

Trust, written down.

Elido is EU-hosted by default, GDPR-friendly, and built with audit trails baked in. Everything below is what we already do - not what we plan to.

Read the DPA[email protected]
SOC 2 Type II
ISO 27001
GDPR
HIPAA-aware (Business)
EU residency
Workspace region · pin once
irreversible at create
  • EU regionEU
    EU residency · default

    Default for every workspace. Audit log, clicks, backups stay in-region. No DPF or Schrems II reliance.

  • US EastUS
    Opt-in

    Workspace creation only. Irreversible. For US-resident customers who want US data path.

  • Asia-PacificAPAC
    Business+ · opt-in

    Workspace creation only. Irreversible. APAC residency for Business and Enterprise plans.

No cross-region replication for hot dataaudit · clicks · backups
5
Sub-processors, public list
90d
Pro audit retention (7y on Business)
30d
DSAR SLA (5d expedited on Business)
0
Cross-region transfers for hot data

What "trust" means in product terms

What we mean by trust

Each pillar maps to something concrete you can grep for in the audit log, the DPA, or our public infra repo. No marketing ambiguity.

EU residency, by default

All operational data stays in the EU region. Business plans can pin to US East or Asia-Pacific. Free + Pro never leave the EU.

Audit trail on everything

Workspace settings, role changes, key rotations, link creates, deletions, exports. Every event has a who, when, and what - exportable.

Read-only by default for AI

AI integrations get scoped, rotatable keys. Write/delete access is an explicit, audited workspace setting - not a default.

BYOK and customer-managed keys

Bring your own KMS for at-rest encryption on Business. Rotate keys without re-encrypting cold storage.

Anti-abuse pipeline

Every link runs through a composite scanner (URLhaus + Google Safe Browsing + heuristics) on create and again on a rolling re-scan worker.

Sub-processor transparency

Full list, location, and purpose. We notify on additions; opt-out routes available for some.

Append-only audit log

Every state change is recorded.

Append-only is enforced at the database layer: the audit table grants only INSERT and SELECT to application roles, with no UPDATE or DELETE. Even our own admins can't rewrite history without a migration that shows up in change control. Retention is 90 days on Pro and 7 years on Business - covering SOX, MiFID II, and HIPAA without an add-on.

  • Actor identity
    User ID or service principal, plus source IP and request ID
  • Before/after diff
    Structured JSON diff of the changed row - not just a text log line
  • SIEM firehose
    HMAC-signed webhook to Splunk / Datadog / ELK in real time
  • Tamper-evident
    Database GRANT enforcement; no UPDATE / DELETE for app roles
Security overview →
Audit entry · evt_8c41a7
domain.claim · ws_8a2f
Timestamp (UTC)
2026-05-08T11:42:18Z
Source IP
203.0.113.42 · DE
Source
dashboard · req_a4f9c1
  {    "domain": "go.acme.eu",-   "status": "pending_dns",+   "status": "verified",-   "tls_mode": "none",+   "tls_mode": "on_demand",+   "verified_at": "2026-05-08T11:42:18Z",    "workspace_id": "ws_8a2f"  }
Event type
domain.claim
Diff lines
+3 / -2
Retention
7 years (Business)
Append-only · enforced by database GRANTStreamed to SIEM

Data subject access requests

Subject rights via API.

You receive a subject request from your end user. You forward it via the dashboard or API as a controller-on-behalf-of-subject request - Elido authenticates the controller (you), not the subject. The bundle is a signed zip: identity record, links, audit-log entries where the subject is the actor, billing receipts if the subject is a workspace owner. Standard SLA is 30 days; Business expedited returns inside 5 business days.

  1. Step 1

    Subject request

    End user → controller (you)

    Subject contacts you. You authenticate them in your own product, not in Elido.

  2. Step 2

    DSAR API call

    POST /v1/dsar

    Forward as a controller-on-behalf request with subject email + request type (export / erase).

  3. Step 3

    Workspace bundle

    signed zip · JSON + CSV

    Identity, links, audit-log entries where subject is actor, billing if owner, anonymised click metadata.

  4. Step 4

    SLA

    30 days · 5 days expedited

    Standard SLA on every plan; Business expedited tier returns inside 5 business days.

Read the DPA →DSAR endpoint reference → API

Five sub-processors, listed publicly

Five vendors. Listed publicly.

The full list with vendor location, processing purpose, data categories, and DPA reference URL lives at /legal/subprocessors. Adding or replacing a sub-processor triggers a 30-day notice to every workspace admin via in-app banner and email before processing begins, so customers can object.

Sub-processor fan-out · workspace data flow
5 vendors · public list
Your workspace
ws_xxxx
EU region (default)
  • Compute & hostingISO 27001
    Primary app + edge infrastructure
    EU · Germany + Finland
  • Edge computeISO 27001 · SOC 2
    Business region pins
    EU + APAC
  • Email deliverySOC 2 Type II
    Transactional email
    EU (opt-out for EU-only)
  • PaymentsPCI DSS L1
    Card acquiring
    EU
  • CDN + WAFISO 27001 · SOC 2
    Marketing proxy (not redirect path)
    Global · EU routing
Adding a vendor triggers a 30-day customer notice/legal/subprocessors
See the full sub-processor list →Security overview → architecture

Compliance posture

Where we stand on the frameworks customers ask about.

No future-tense claims. Each row says what is shipped today, what's in observation, and what's available as an add-on under contract.

Achieved

ISO 27001

Information security management system, certified scope covers the full Elido platform.

In progress

SOC 2 Type II

Observation period running through H2 2026. Type I report available under NDA today.

Default

GDPR

EU residency by default, pre-signed DPA with standard SCCs, public sub-processor list.

Available

HIPAA-ready

BAA on Business+ with encryption, audit logging, and access controls already wired.

Default

EU residency

All operational data stays in the EU region. No reliance on Schrems II / DPF.

Default

Encryption

AES-256 at rest, TLS 1.3 in transit, KMS-backed key rotation. BYOK on Business.

Compliance FAQ

The questions procurement keeps emailing us.

Do you sign a DPA?

Yes. Our standard DPA is pre-signed with EU SCCs and downloadable from /legal/dpa. No negotiation needed for default terms - paid plans get it counter-signed automatically. Custom redlines are available on Business and Enterprise.

How many sub-processors do you use?

Five, mostly EU-based: compute + hosting (EU), edge compute for region pins (EU + APAC), transactional email (EU), payments (EU), and a marketing-only proxy + WAF that never touches the redirect path. The full named list with location, purpose, and DPA reference is at /legal/subprocessors.

Is region pinning available on every plan?

EU residency is the default for every workspace, on every plan, and never changes. Opt-in pinning to US East or Asia-Pacific is workspace-only, irreversible at create time, and gated to Business and Enterprise plans.

What's the DSAR turnaround?

30 days standard SLA on every plan. Business and Enterprise get a 5-business-day expedited tier. DSARs are filed via API or dashboard (POST /v1/dsar) - you authenticate the controller, we authenticate you, and the bundle ships as a signed zip with identity, links, audit-log entries, and billing records.

How do BAAs work for HIPAA?

BAA on Business+ only. The technical safeguards (encryption, audit logging, access control, secure backup) are the same as the default tier - the BAA is paperwork, not feature-gating. Email [email protected] to start.

Is there a self-host option?

Yes. The redirect tier and click-ingester are open source under Apache 2.0 with a Helm chart for Kubernetes. Customers run the redirect tier in their own VPC and point the dashboard at our control plane, or run the entire stack on-prem. The repo is the same code we run.

How do you notify customers about sub-processor changes?

Adding or replacing a sub-processor triggers a 30-day notice via in-app banner and email to every workspace admin. Customers can object before processing begins. The list at /legal/subprocessors is checked into a public git repo so changes appear in version-control history.

Where do you publish incidents and uptime?

Live status, recent incidents, and full post-mortems at /status. Incidents that affect security are also posted to [email protected] subscribers and to the Trust Center page within the SLA window defined in the DPA.

Where to look next

Every claim above has a public doc. If you're evaluating us for a procurement decision, start here.

Sub-processors

Who we share data with, where they sit, and why.

DPA

Sign before you process EU personal data.

Privacy

What we collect, what we don't, retention windows.

Security page

Architecture, encryption, secret handling, threat model.

Status

Live uptime, recent incidents, post-mortems.

Contact

Have a security question?

[email protected] for vulnerability reports (PGP available). [email protected] for SOC 2 / ISO / DPA. We respond within one working day.

Security

Vulnerability reports, security.txt, PGP key. We respond within one working day.

[email protected]

Compliance

SOC 2 / ISO requests, DPA counter-signing, sub-processor notices, BAA process for HIPAA.

[email protected]

Sales

Enterprise procurement, security questionnaires, and custom-terms requests.

[email protected]

Ready when procurement is.

Pre-signed DPA, public sub-processor list, audit log on every plan. Start free or talk to sales for the security questionnaire shortcut.

See pricingTalk to sales