Elido
Trust Center

Trust, written down.

Elido is EU-hosted by default, GDPR-friendly, and built with audit trails baked in. Everything below is what we already do — not what we plan to.

Read the DPAsecurity@elido.app
SOC 2 Type II
ISO 27001
GDPR
HIPAA-aware (Business)
EU residency
Workspace region · pin once
irreversible at create
  • FrankfurtFRA · eu-central-1
    EU residency · default

    Default for every workspace. Audit log, clicks, backups stay in-region. No DPF or Schrems II reliance.

  • AshburnIAD · us-east-1
    Opt-in

    Workspace creation only. Irreversible. For US-resident customers who want US data path.

  • SingaporeSIN · ap-southeast-1
    Business+ · opt-in

    Workspace creation only. Irreversible. APAC residency for Business and Enterprise plans.

No cross-region replication for hot dataaudit · clicks · backups
5
Sub-processors, public list
90d
Pro audit retention (7y on Business)
30d
DSAR SLA (5d expedited on Business)
0
Cross-region transfers for hot data

What “trust” means in product terms

What we mean by trust

Each pillar maps to something concrete you can grep for in the audit log, the DPA, or our public infra repo. No marketing ambiguity.

EU residency, by default

Postgres, ClickHouse, Redis, MinIO — all in Frankfurt. Business plans can pin to Ashburn or Singapore. Free + Pro never leave the EU.

Audit trail on everything

Workspace settings, role changes, key rotations, link creates, deletions, exports. Every event has a who, when, and what — exportable.

Read-only by default for AI

AI integrations get scoped, rotatable keys. Write/delete access is an explicit, audited workspace setting — not a default.

BYOK and customer-managed keys

Bring your own KMS for at-rest encryption on Business. Rotate keys without re-encrypting cold storage.

Anti-abuse pipeline

Every link runs through a composite scanner (URLhaus + Google Safe Browsing + heuristics) on create and again on a rolling re-scan worker.

Sub-processor transparency

Full list, location, and purpose. We notify on additions; opt-out routes available for some.

Append-only audit log

Every state change is recorded.

Append-only is enforced at the database layer: the audit table grants only INSERT and SELECT to application roles, with no UPDATE or DELETE. Even our own admins can’t rewrite history without a migration that shows up in change control. Retention is 90 days on Pro and 7 years on Business — covering SOX, MiFID II, and HIPAA without an add-on.

  • Actor identity
    User ID or service principal, plus source IP and request ID
  • Before/after diff
    Structured JSON diff of the changed row — not just a text log line
  • SIEM firehose
    HMAC-signed webhook to Splunk / Datadog / ELK in real time
  • Tamper-evident
    Postgres GRANT enforcement; no UPDATE / DELETE for app roles
Security overview →
Audit entry · evt_8c41a7
domain.claim · ws_8a2f
Actor
admin@elido.app
Timestamp (UTC)
2026-05-08T11:42:18Z
Source IP
203.0.113.42 · DE
Source
dashboard · req_a4f9c1
  {    "domain": "go.acme.eu",-   "status": "pending_dns",+   "status": "verified",-   "tls_mode": "none",+   "tls_mode": "on_demand",+   "verified_at": "2026-05-08T11:42:18Z",    "workspace_id": "ws_8a2f"  }
Event type
domain.claim
Diff lines
+3 / -2
Retention
7 years (Business)
Append-only · enforced by Postgres GRANTStreamed to SIEM

Data subject access requests

Subject rights via API.

You receive a subject request from your end user. You forward it via the dashboard or API as a controller-on-behalf-of-subject request — Elido authenticates the controller (you), not the subject. The bundle is a signed zip: identity record, links, audit-log entries where the subject is the actor, billing receipts if the subject is a workspace owner. Standard SLA is 30 days; Business expedited returns inside 5 business days.

  1. Step 1

    Subject request

    End user → controller (you)

    Subject contacts you. You authenticate them in your own product, not in Elido.

  2. Step 2

    DSAR API call

    POST /v1/dsar

    Forward as a controller-on-behalf request with subject email + request type (export / erase).

  3. Step 3

    Workspace bundle

    signed zip · JSON + CSV

    Identity, links, audit-log entries where subject is actor, billing if owner, anonymised click metadata.

  4. Step 4

    SLA

    30 days · 5 days expedited

    Standard SLA on every plan; Business expedited tier returns inside 5 business days.

Read the DPA →DSAR endpoint reference → API

Five sub-processors, listed publicly

Five vendors. Listed publicly.

The full list with vendor location, processing purpose, data categories, and DPA reference URL lives at /legal/subprocessors and is checked into the public docs repo, so changes appear in git history. Adding or replacing a sub-processor triggers a 30-day notice to every workspace admin via in-app banner and email before processing begins, so customers can object. monobank Plata replaced LiqPay under ADR-0026 in 2026-05.

Sub-processor fan-out · workspace data flow
5 vendors · public list
Your workspace
ws_xxxx
eu-central-1 (default)
  • HetznerISO 27001
    Compute · primary infra
    EU · Frankfurt + Helsinki
  • OVHISO 27001 · SOC 2
    Compute · Business region pins
    EU + APAC POPs
  • PostmarkSOC 2 Type II
    Transactional email
    EU (opt-out for EU-only)
  • monobank PlataPCI DSS L1
    Payments · replaced LiqPay (ADR-0026)
    EU
  • CloudflareISO 27001 · SOC 2
    Marketing proxy + WAF (not redirect path)
    Global
Adding a vendor triggers a 30-day customer notice/legal/subprocessors
See the full sub-processor list →Security overview → architecture

Compliance posture

Where we stand on the frameworks customers ask about.

No future-tense claims. Each row says what is shipped today, what’s in observation, and what’s available as an add-on under contract.

Achieved

ISO 27001

Information security management system, certified scope covers the full Elido platform.

In progress

SOC 2 Type II

Observation period running through H2 2026. Type I report available under NDA today.

Default

GDPR

EU residency by default, pre-signed DPA with standard SCCs, public sub-processor list.

Available

HIPAA-ready

BAA on Business+ with encryption, audit logging, and access controls already wired.

Default

EU residency

Postgres, ClickHouse, Redis, MinIO — all in Frankfurt. No reliance on Schrems II / DPF.

Default

Encryption

AES-256 at rest, TLS 1.3 in transit, KMS-backed key rotation. BYOK on Business.

Compliance FAQ

The questions procurement keeps emailing us.

Do you sign a DPA?

Yes. Our standard DPA is pre-signed with EU SCCs and downloadable from /legal/dpa. No negotiation needed for default terms — paid plans get it counter-signed automatically. Custom redlines are available on Business and Enterprise.

How many sub-processors do you use?

Five: Hetzner (compute, EU), OVH (compute, EU + APAC for region pins), Postmark (transactional email, EU), monobank Plata (payments, EU — replaced LiqPay under ADR-0026), and Cloudflare (marketing proxy + WAF; never on the redirect path). The full list with location, purpose, and DPA reference is at /legal/subprocessors.

Is region pinning available on every plan?

EU residency is the default for every workspace, on every plan, and never changes. Opt-in pinning to us-east-1 (Ashburn) or ap-southeast-1 (Singapore) is workspace-only, irreversible at create time, and gated to Business and Enterprise plans.

What's the DSAR turnaround?

30 days standard SLA on every plan. Business and Enterprise get a 5-business-day expedited tier. DSARs are filed via API or dashboard (POST /v1/dsar) — you authenticate the controller, we authenticate you, and the bundle ships as a signed zip with identity, links, audit-log entries, and billing records.

How do BAAs work for HIPAA?

BAA on Business+ only. The technical safeguards (encryption, audit logging, access control, secure backup) are the same as the default tier — the BAA is paperwork, not feature-gating. Email compliance@elido.app to start.

Is there a self-host option?

Yes. The redirect tier and click-ingester are open source under Apache 2.0 with a Helm chart for Kubernetes. Customers run the redirect tier in their own VPC and point the dashboard at our control plane, or run the entire stack on-prem. The repo is the same code we run.

How do you notify customers about sub-processor changes?

Adding or replacing a sub-processor triggers a 30-day notice via in-app banner and email to every workspace admin. Customers can object before processing begins. The list at /legal/subprocessors is checked into a public git repo so changes appear in version-control history.

Where do you publish incidents and uptime?

Live status, recent incidents, and full post-mortems at /status. Incidents that affect security are also posted to security@elido.app subscribers and to the Trust Center page within the SLA window defined in the DPA.

Where to look next

Every claim above has a public doc. If you’re evaluating us for a procurement decision, start here.

Sub-processors

Who we share data with, where they sit, and why.

DPA

Sign before you process EU personal data.

Privacy

What we collect, what we don't, retention windows.

Security page

Architecture, encryption, secret handling, threat model.

Status

Live uptime, recent incidents, post-mortems.

Contact

Have a security question?

security@elido.app for vulnerability reports (PGP available). compliance@elido.app for SOC 2 / ISO / DPA. We respond within one working day.

Security

Vulnerability reports, security.txt, PGP key. We respond within one working day.

security@elido.app

Compliance

SOC 2 / ISO requests, DPA counter-signing, sub-processor notices, BAA process for HIPAA.

compliance@elido.app

Sales

Enterprise procurement, security questionnaires, and custom-terms requests.

sales@elido.app

Ready when procurement is.

Pre-signed DPA, public sub-processor list, audit log on every plan. Start free or talk to sales for the security questionnaire shortcut.

See pricingTalk to sales
Trust Center · Elido