Trust Center

Trust, written down.

A Elido é alojada na EU por defeito, compatível com GDPR e construída com trilhas de auditoria integradas. Tudo abaixo é o que já fazemos — não o que planeamos fazer.

Read the DPA security@elido.app

SOC 2 Type II

ISO 27001

GDPR

HIPAA-aware (Business)

EU-residency

Workspace region · pin once

irreversible at create

FrankfurtFRA · eu-central-1
EU residency · default
Default for every workspace. Audit log, clicks, backups stay in-region. No DPF or Schrems II reliance.
AshburnIAD · us-east-1
Opt-in
Workspace creation only. Irreversible. For US-resident customers who want US data path.
SingaporeSIN · ap-southeast-1
Business+ · opt-in
Workspace creation only. Irreversible. APAC residency for Business and Enterprise plans.

No cross-region replication for hot dataaudit · clicks · backups

Sub-processors, public list

90d

Pro audit retention (7y on Business)

30d

DSAR SLA (5d expedited on Business)

Cross-region transfers for hot data

What “trust” means in product terms

O que queremos dizer com confiança

Each pillar maps to something concrete you can grep for in the audit log, the DPA, or our public infra repo. No marketing ambiguity.

EU-residency, por defeito

Postgres, ClickHouse, Redis, MinIO — tudo em Frankfurt. Planos Business podem fixar em Ashburn ou Singapura. Free + Pro nunca saem da EU.

Trilha de auditoria em tudo

Definições de workspace, alterações de função, rotações de chaves, criações de links, eliminações, exportações. Cada evento tem um quem, quando e o quê — exportável.

Apenas leitura por defeito para AI

As integrações de AI recebem chaves com âmbito definido e rotativas. O acesso de escrita/eliminação é uma definição de workspace explícita e auditada — não um defeito.

BYOK e chaves geridas pelo cliente

Traga o seu próprio KMS para encriptação at-rest no plano Business. Rode chaves sem re-encriptar o armazenamento a frio.

Pipeline anti-abuso

Cada link passa por um scanner composto (URLhaus + Google Safe Browsing + heurísticas) na criação e novamente num worker de re-scan rotativo.

Transparência de sub-processadores

Lista completa, localização e propósito. Notificamos sobre adições; rotas de opt-out disponíveis para alguns.

Append-only audit log

Every state change is recorded.

Append-only is enforced at the database layer: the audit table grants only INSERT and SELECT to application roles, with no UPDATE or DELETE. Even our own admins can’t rewrite history without a migration that shows up in change control. Retention is 90 days on Pro and 7 years on Business — covering SOX, MiFID II, and HIPAA without an add-on.

Actor identity
User ID or service principal, plus source IP and request ID
Before/after diff
Structured JSON diff of the changed row — not just a text log line
SIEM firehose
HMAC-signed webhook to Splunk / Datadog / ELK in real time
Tamper-evident
Postgres GRANT enforcement; no UPDATE / DELETE for app roles

Security overview →

Audit entry · evt_8c41a7

domain.claim · ws_8a2f

Actor

admin@elido.app

Timestamp (UTC)

2026-05-08T11:42:18Z

Source IP

203.0.113.42 · DE

Source

dashboard · req_a4f9c1

  {    "domain": "go.acme.eu",-   "status": "pending_dns",+   "status": "verified",-   "tls_mode": "none",+   "tls_mode": "on_demand",+   "verified_at": "2026-05-08T11:42:18Z",    "workspace_id": "ws_8a2f"  }

Event type

domain.claim

Diff lines

+3 / -2

Retention

7 years (Business)

Append-only · enforced by Postgres GRANTStreamed to SIEM

Data subject access requests

Subject rights via API.

You receive a subject request from your end user. You forward it via the dashboard or API as a controller-on-behalf-of-subject request — Elido authenticates the controller (you), not the subject. The bundle is a signed zip: identity record, links, audit-log entries where the subject is the actor, billing receipts if the subject is a workspace owner. Standard SLA is 30 days; Business expedited returns inside 5 business days.

Step 1
Subject request
End user → controller (you)
Subject contacts you. You authenticate them in your own product, not in Elido.
Step 2
DSAR API call
POST /v1/dsar
Forward as a controller-on-behalf request with subject email + request type (export / erase).
Step 3
Workspace bundle
signed zip · JSON + CSV
Identity, links, audit-log entries where subject is actor, billing if owner, anonymised click metadata.
Step 4
SLA
30 days · 5 days expedited
Standard SLA on every plan; Business expedited tier returns inside 5 business days.

Read the DPA →DSAR endpoint reference → API

Five sub-processors, listed publicly

Five vendors. Listed publicly.

The full list with vendor location, processing purpose, data categories, and DPA reference URL lives at /legal/subprocessors and is checked into the public docs repo, so changes appear in git history. Adding or replacing a sub-processor triggers a 30-day notice to every workspace admin via in-app banner and email before processing begins, so customers can object. monobank Plata replaced LiqPay under ADR-0026 in 2026-05.

Sub-processor fan-out · workspace data flow

5 vendors · public list

Your workspace

ws_xxxx

eu-central-1 (default)

HetznerISO 27001
Compute · primary infra
EU · Frankfurt + Helsinki
OVHISO 27001 · SOC 2
Compute · Business region pins
EU + APAC POPs
PostmarkSOC 2 Type II
Transactional email
EU (opt-out for EU-only)
monobank PlataPCI DSS L1
Payments · replaced LiqPay (ADR-0026)
EU
CloudflareISO 27001 · SOC 2
Marketing proxy + WAF (not redirect path)
Global

Adding a vendor triggers a 30-day customer notice/legal/subprocessors

See the full sub-processor list →Security overview → architecture

Compliance posture

Where we stand on the frameworks customers ask about.

No future-tense claims. Each row says what is shipped today, what’s in observation, and what’s available as an add-on under contract.

Achieved

ISO 27001

Information security management system, certified scope covers the full Elido platform.

In progress

SOC 2 Type II

Observation period running through H2 2026. Type I report available under NDA today.

Default

GDPR

EU residency by default, pre-signed DPA with standard SCCs, public sub-processor list.

Available

HIPAA-ready

BAA on Business+ with encryption, audit logging, and access controls already wired.

Default

EU residency

Postgres, ClickHouse, Redis, MinIO — all in Frankfurt. No reliance on Schrems II / DPF.

Default

Encryption

AES-256 at rest, TLS 1.3 in transit, KMS-backed key rotation. BYOK on Business.

Compliance FAQ

The questions procurement keeps emailing us.

Do you sign a DPA?

Yes. Our standard DPA is pre-signed with EU SCCs and downloadable from /legal/dpa. No negotiation needed for default terms — paid plans get it counter-signed automatically. Custom redlines are available on Business and Enterprise.

How many sub-processors do you use?

Five: Hetzner (compute, EU), OVH (compute, EU + APAC for region pins), Postmark (transactional email, EU), monobank Plata (payments, EU — replaced LiqPay under ADR-0026), and Cloudflare (marketing proxy + WAF; never on the redirect path). The full list with location, purpose, and DPA reference is at /legal/subprocessors.

Is region pinning available on every plan?

EU residency is the default for every workspace, on every plan, and never changes. Opt-in pinning to us-east-1 (Ashburn) or ap-southeast-1 (Singapore) is workspace-only, irreversible at create time, and gated to Business and Enterprise plans.

What's the DSAR turnaround?

30 days standard SLA on every plan. Business and Enterprise get a 5-business-day expedited tier. DSARs are filed via API or dashboard (POST /v1/dsar) — you authenticate the controller, we authenticate you, and the bundle ships as a signed zip with identity, links, audit-log entries, and billing records.

How do BAAs work for HIPAA?

BAA on Business+ only. The technical safeguards (encryption, audit logging, access control, secure backup) are the same as the default tier — the BAA is paperwork, not feature-gating. Email compliance@elido.app to start.

Is there a self-host option?

Yes. The redirect tier and click-ingester are open source under Apache 2.0 with a Helm chart for Kubernetes. Customers run the redirect tier in their own VPC and point the dashboard at our control plane, or run the entire stack on-prem. The repo is the same code we run.

How do you notify customers about sub-processor changes?

Adding or replacing a sub-processor triggers a 30-day notice via in-app banner and email to every workspace admin. Customers can object before processing begins. The list at /legal/subprocessors is checked into a public git repo so changes appear in version-control history.

Where do you publish incidents and uptime?

Live status, recent incidents, and full post-mortems at /status. Incidents that affect security are also posted to security@elido.app subscribers and to the Trust Center page within the SLA window defined in the DPA.