For compliance-driven teams

The shortener your DPO won’t push back on.

Q: Where exactly is our data stored?

EU-Central (Frankfurt) by default. Postgres, ClickHouse (clickstream), Redis (cache), MinIO (asset storage), and backups all sit in eu-central-1. No data is replicated to US or APAC unless an admin explicitly pins the workspace to Ashburn or Singapore at creation — which is a deliberate, irreversible choice (workspaces don't migrate regions). The full architecture is in /docs/strategy/ARCHITECTURE.md, checked into the public repo.

Q: Are you in scope for SOC 2 / ISO 27001?

ISO 27001 is achieved. SOC 2 Type II audit is underway with H2 2026 target — the controls and evidence are already operational, the audit period is the long pole. We share Type 1 evidence on request under NDA today; Type 2 reports release publicly when ready. Trust Center at /trust tracks current state.

Q: Do you sign a DPA?

Pre-signed and downloadable from /legal/dpa. The DPA references our sub-processor list at /legal/subprocessors as a living document; sub-processor changes give 30 days customer notice. If you need redlines, that's a Business+ contract conversation; defaults are usually accepted by EU DPOs without modification.

Q: How many sub-processors are involved?

Five: Hetzner (compute, EU), OVH (compute, EU + APAC for non-EU customers), Postmark (transactional email — opt out for EU-only), monobank Plata (payments, EU — replaced LiqPay under ADR-0026), Cloudflare (proxy + WAF, global). Locations and purpose for each are at /legal/subprocessors. Adding a sub-processor triggers a 30-day customer notice; we don't backfill them quietly.

Q: Can we BYO HSM / KMS for encryption keys?

Yes on the self-hosted edition. SaaS Elido encrypts at rest with AWS KMS (per region) and in transit with TLS 1.3; we don't currently support customer-managed KMS on the multi-tenant SaaS. Self-host (Helm chart, Apache 2.0 licensed) lets you point at your own KMS / Vault / HSM.

Q: What's the breach notification SLA?

Confirmed personal-data breaches: 24 hours customer notification, 72 hours regulator notification (GDPR Art. 33). Notification covers what we know at that point; we don't wait for full forensics. Process is in our Trust Center at /trust/incident-response.

Q: Do you fulfill DSARs from end users (data subjects), not just from us as the customer?

We act on instructions from the controller (you, the customer). End users contact you; you forward the request via the dashboard or API and we fulfil. We don't directly accept DSARs from end users because we'd have no way to authenticate them as a subject of your workspace — that auth is yours.

Q: Can the audit log be tampered with by an Elido admin?

No. The log is append-only at the database layer; even our own admins can't edit historical entries. Deletion of old entries past the retention window is automated and logs a 'retention purge' meta-event so the gap is itself auditable. Live tampering would require a database-level intrusion that bypasses our application code, which is the same threat model as any other table corruption — covered by RLS and our SOC 2 controls.

Q: Do you have a public security.txt / coordinated-disclosure policy?

Yes — security.txt at /.well-known/security.txt; coordinated disclosure policy at /trust/disclosure. Bug bounty is run via HackerOne (private program; reach out via security@elido.app for an invite if you have an unreported finding).

Q: What happens at contract end? How do we get our data out?

Full data export at any time via the API or a one-off support request. JSON + CSV bundle covering links, click events (raw or aggregated, your choice), audit log, members, settings, branding. After contract end we hold for 30 days for accidental-cancellation recovery, then hard-purge from primary, replicas, and backups. We can issue a written purge confirmation if your DPA requires one.

You measure DSAR turnaround, SOC 2 evidence freshness, and how many vendor questions a sales cycle costs. Elido is the shortener your DPO won't push back on.

Start free Talk to sales

EU-default eu-central-1 region for every workspace
Append-only audit log enforced at the Postgres GRANT layer
5 sub-processors, all listed publicly with location + purpose
DSAR API with 30-day SLA (5-day expedited on Business)

Workspace region · pin once

irreversible at create

FrankfurtFRA · eu-central-1
EU residency · default
Default for every workspace. Audit log, clicks, backups stay in-region. No DPF or Schrems II reliance.
AshburnIAD · us-east-1
Opt-in
Workspace creation only. Irreversible. For US-resident customers who want US data path.
SingaporeSIN · ap-southeast-1
Business+ · opt-in
Workspace creation only. Irreversible. APAC residency for Business and Enterprise plans.

No cross-region replication for hot dataaudit · clicks · backups

Sub-processors

EU-only

Default residency

<30d

DSAR SLA

Audit retention

Append-only audit log

Every state change. Actor, IP, before/after diff, source.

Append-only is enforced at the database layer: the audit table grants only INSERT and SELECT to application roles, with no UPDATE or DELETE. Even our own admins can’t rewrite history without a migration that shows up in change control. Retention is 90 days on Pro and 7 years on Business — covering SOX, MiFID II, and HIPAA without an add-on.

Actor identity
User ID or service principal, plus source IP and request ID
Before/after diff
Structured JSON diff of the changed row — not just a text log line
SIEM firehose
HMAC-signed webhook to Splunk / Datadog / ELK in real time
Tamper-evident
Postgres GRANT enforcement; no UPDATE / DELETE for app roles

Security overview →

Audit entry · evt_8c41a7

domain.claim · ws_8a2f

Actor

admin@elido.app

Timestamp (UTC)

2026-05-08T11:42:18Z

Source IP

203.0.113.42 · DE

Source

dashboard · req_a4f9c1

  {    "domain": "go.acme.eu",-   "status": "pending_dns",+   "status": "verified",-   "tls_mode": "none",+   "tls_mode": "on_demand",+   "verified_at": "2026-05-08T11:42:18Z",    "workspace_id": "ws_8a2f"  }

Event type

domain.claim

Diff lines

+3 / -2

Retention

7 years (Business)

Append-only · enforced by Postgres GRANTStreamed to SIEM

Data subject access requests

DSAR, not support ticket. API call, signed bundle, SLA clock.

You receive a subject request from your end user. You forward it via the dashboard or API as a controller-on-behalf-of-subject request — Elido authenticates the controller (you), not the subject. The bundle is a signed zip: identity record, links, audit-log entries where the subject is the actor, billing receipts if the subject is a workspace owner. Standard SLA is 30 days; Business expedited returns inside 5 business days.

Step 1
Subject request
End user → controller (you)
Subject contacts you. You authenticate them in your own product, not in Elido.
Step 2
DSAR API call
POST /v1/dsar
Forward as a controller-on-behalf request with subject email + request type (export / erase).
Step 3
Workspace bundle
signed zip · JSON + CSV
Identity, links, audit-log entries where subject is actor, billing if owner, anonymised click metadata.
Step 4
SLA
30 days · 5 days expedited
Standard SLA on every plan; Business expedited tier returns inside 5 business days.

Read the DPA →DSAR endpoint reference → API

Five sub-processors, listed publicly

Hetzner, OVH, Postmark, monobank Plata, Cloudflare. That’s the list.

The full list with vendor location, processing purpose, data categories, and DPA reference URL lives at /legal/subprocessors and is checked into the public docs repo, so changes appear in git history. Adding or replacing a sub-processor triggers a 30-day notice to every workspace admin via in-app banner and email before processing begins, so customers can object. monobank Plata replaced LiqPay under ADR-0026 in 2026-05.

Sub-processor fan-out · workspace data flow

5 vendors · public list

Your workspace

ws_xxxx

eu-central-1 (default)

HetznerISO 27001
Compute · primary infra
EU · Frankfurt + Helsinki
OVHISO 27001 · SOC 2
Compute · Business region pins
EU + APAC POPs
PostmarkSOC 2 Type II
Transactional email
EU (opt-out for EU-only)
monobank PlataPCI DSS L1
Payments · replaced LiqPay (ADR-0026)
EU
CloudflareISO 27001 · SOC 2
Marketing proxy + WAF (not redirect path)
Global

Adding a vendor triggers a 30-day customer notice/legal/subprocessors

See the full sub-processor list →Trust Center → posture & incidents

What you can put on the procurement deck

EU-default eu-central-1 region for every workspace
Append-only audit log enforced at the Postgres GRANT layer
5 sub-processors, all listed publicly with location + purpose
DSAR API with 30-day SLA (5-day expedited on Business)
ISO 27001 achieved · SOC 2 Type II in progress (H2 2026)
HIPAA-ready BAA on Business+ with safeguards already wired

What 'compliance' looks like in product

Most shorteners answer compliance questions with a one-pager and a vendor questionnaire. The features below are what's actually wired in code, not promises in a procurement deck.

Data residency

EU-default, region-pinned per workspace

Frankfurt (eu-central-1) is the default region for every new workspace. Click events in ClickHouse, link metadata in Postgres, audit-log entries, scheduled exports in MinIO, and the Redis hot cache all stay in-region unless an admin pins the workspace to Ashburn or Singapore at creation. The pin is set once and is irreversible — workspaces don't migrate, because moving a tenant invalidates signed sub-processor flow-down clauses. There is no cross-region replication for hot data; daily backups are encrypted at rest with AWS KMS and stored in the same region as the source. The Data Privacy Framework is not part of our compliance story — we don't rely on US-EU transfer mechanics because EU-pinned workspaces never cross the Atlantic. edge-redirect POPs serve cached redirect data only; click events fire-and-forget back to the source region's Redpanda cluster.

Audit trail

Append-only log of every state change

Workspace settings, API key issuance and rotation, member invites and role changes, custom-domain claims, branding edits, billing-plan changes, region pins, and link create / update / delete — every state-changing mutation lands in the audit log with actor (user ID or service principal), UTC timestamp, before/after JSON diff, source IP, and request ID linking back to api-core. Retention is 90 days on Pro and 7 years on Business; Business covers most regulated retention requirements (SOX, HIPAA, MiFID II) without add-on. Both tiers stream the firehose to a SIEM (Splunk, Datadog, ELK) via signed webhook, with replay-from-cursor on reconnect. Tampering is prevented by an append-only constraint at the Postgres layer — the table grants only INSERT and SELECT to application roles, no UPDATE or DELETE. An admin cannot rewrite history without a migration that shows up in change control.

Sub-processor transparency

Five vendors, all listed publicly

We use exactly five sub-processors and the list is published in full: Hetzner (compute, Frankfurt + Helsinki, ISO 27001), OVH (compute, EU + APAC POPs for Business region pins, ISO 27001), Postmark (transactional email; opt out for EU-only workspaces and traffic is disabled at the workspace level), monobank Plata (payments, EU — replaced LiqPay under ADR-0026), and Cloudflare (proxy + WAF for marketing surfaces only; not on the redirect hot path). The full list with vendor location, processing purpose, data categories, and DPA reference URL lives at /legal/subprocessors and is checked into the public docs repo, so changes appear in git history. Adding or replacing a sub-processor triggers a 30-day notice to every workspace admin via in-app banner and email before processing begins, so customers can object. Reviewed each quarter under our vendor-risk cycle.

DSAR & data subject rights

Export and erase via API, not a support ticket

The DSAR API returns a per-subject bundle as JSON plus CSV in a signed zip. Contents: identity record (email, name, locale, last login), the subject's links with UTM templates and tags, audit-log entries where the subject is the actor, billing receipts and plan history if the subject is a workspace owner, and click-event metadata resolving to the subject — typically none, because clicks are anonymised at ingest in click-ingester (truncated IP, hashed user-agent, no cookie persistence) unless the workspace has explicitly enabled per-link PII tracking. Erasure is a soft-delete that flags the row, hides it from queries, and stops new processing within seconds; a 30-day window allows recovery before the hard purge sweeps primary Postgres, every read replica, and the encrypted nightly backups. Standard SLA is 30 days; Business expedited tier turns the bundle around in 5 business days.

Compliance posture

SOC 2 Type II, ISO 27001, HIPAA-ready

ISO 27001 is achieved and the certificate is downloadable from /trust under NDA. SOC 2 Type II audit is in progress with an H2 2026 target — the control set is already operational (access reviews, change-management tickets, vulnerability-scan cadence, incident drills, vendor-risk reviews), so the long pole is the observation window, not the program. Type 1 evidence is shareable today on request; Type 2 reports release publicly once the auditor signs. HIPAA-ready on Business+ means we sign a BAA covering Elido as a business associate, with the safeguards already wired: AES-256 at rest via AWS KMS, TLS 1.3 in transit, the append-only audit trail, RBAC, scoped API keys, and a documented 72-hour breach-notification procedure. HIPAA itself is industry self-attestation — the BAA plus safeguards are what auditors ask for. Posture changes show in /changelog the day they ship.

Stack you’ll evidence

EU residency
GDPR DPA
SOC 2 Type II (in progress)
ISO 27001
Audit log + SIEM firehose
DSAR API

What your DPO measures

Sub-processor count: 5, EU-only by default
DSAR response: Under 30 days
Audit log retention: 7 years on Business

Compliance teams running on this

Names are placeholders for now — real customer names land here as case studies are published.

“We had to leave Bitly when our auditor flagged the US sub-processor list. Elido's EU-only default cleared procurement in two weeks; before, we couldn't get past 'show me the DPA' on the previous vendor.”

Mid-market fintech, Frankfurt

Data Protection Officer

“BAA on Business was the difference. Plus the audit log streams directly into our Datadog SIEM — we didn't have to write a sync layer ourselves.”

Healthcare SaaS, Munich

Head of Security

“Schrems II disqualified four shorteners we evaluated. Elido was the only one whose answer to 'where is the data?' was 'in the country you said'. That's the entire bar.”

Government contractor, Brussels

Information Governance Lead

What changes when compliance is the buyer

If your DPO is reviewing the vendor, these are the questions they'll ask. Honest answers across three options.

Capability	Elido	Bitly Enterprise	Generic shortener
Default data residency	EU (Frankfurt) for every workspace	US default; EU opt-in on Enterprise	Region depends on plan tier
DPF / Schrems II reliance	None — no US data path	DPF-listed; relies on transfer mechanism	Mixed; depends on sub-processors
Sub-processor count	5, all listed publicly	20+ across plan tiers	Not published
DPA signing	Pre-signed, downloadable	Manual countersign on request	On request, paid plans only
Audit log retention	7 years on Business	1 year default	30-90 days
Audit log → SIEM streaming	Webhook firehose, real-time	Daily export only	Manual download
DSAR fulfillment	API; <30d standard, <5d expedited	Support ticket; 30d	Support ticket; SLA varies
BAA / HIPAA support	Yes on Business+	Enterprise add-on	No
SOC 2 / ISO 27001	ISO 27001; SOC 2 Type II in progress	Both, mature	Neither

Common questions from procurement

Where exactly is our data stored?

EU-Central (Frankfurt) by default. Postgres, ClickHouse (clickstream), Redis (cache), MinIO (asset storage), and backups all sit in eu-central-1. No data is replicated to US or APAC unless an admin explicitly pins the workspace to Ashburn or Singapore at creation — which is a deliberate, irreversible choice (workspaces don't migrate regions). The full architecture is in /docs/strategy/ARCHITECTURE.md, checked into the public repo.

Are you in scope for SOC 2 / ISO 27001?

ISO 27001 is achieved. SOC 2 Type II audit is underway with H2 2026 target — the controls and evidence are already operational, the audit period is the long pole. We share Type 1 evidence on request under NDA today; Type 2 reports release publicly when ready. Trust Center at /trust tracks current state.

Do you sign a DPA?

Pre-signed and downloadable from /legal/dpa. The DPA references our sub-processor list at /legal/subprocessors as a living document; sub-processor changes give 30 days customer notice. If you need redlines, that's a Business+ contract conversation; defaults are usually accepted by EU DPOs without modification.

How many sub-processors are involved?

Five: Hetzner (compute, EU), OVH (compute, EU + APAC for non-EU customers), Postmark (transactional email — opt out for EU-only), monobank Plata (payments, EU — replaced LiqPay under ADR-0026), Cloudflare (proxy + WAF, global). Locations and purpose for each are at /legal/subprocessors. Adding a sub-processor triggers a 30-day customer notice; we don't backfill them quietly.

Can we BYO HSM / KMS for encryption keys?

Yes on the self-hosted edition. SaaS Elido encrypts at rest with AWS KMS (per region) and in transit with TLS 1.3; we don't currently support customer-managed KMS on the multi-tenant SaaS. Self-host (Helm chart, Apache 2.0 licensed) lets you point at your own KMS / Vault / HSM.

What's the breach notification SLA?

Confirmed personal-data breaches: 24 hours customer notification, 72 hours regulator notification (GDPR Art. 33). Notification covers what we know at that point; we don't wait for full forensics. Process is in our Trust Center at /trust/incident-response.

Do you fulfill DSARs from end users (data subjects), not just from us as the customer?

We act on instructions from the controller (you, the customer). End users contact you; you forward the request via the dashboard or API and we fulfil. We don't directly accept DSARs from end users because we'd have no way to authenticate them as a subject of your workspace — that auth is yours.

Can the audit log be tampered with by an Elido admin?

No. The log is append-only at the database layer; even our own admins can't edit historical entries. Deletion of old entries past the retention window is automated and logs a 'retention purge' meta-event so the gap is itself auditable. Live tampering would require a database-level intrusion that bypasses our application code, which is the same threat model as any other table corruption — covered by RLS and our SOC 2 controls.

Do you have a public security.txt / coordinated-disclosure policy?

Yes — security.txt at /.well-known/security.txt; coordinated disclosure policy at /trust/disclosure. Bug bounty is run via HackerOne (private program; reach out via security@elido.app for an invite if you have an unreported finding).

What happens at contract end? How do we get our data out?

Full data export at any time via the API or a one-off support request. JSON + CSV bundle covering links, click events (raw or aggregated, your choice), audit log, members, settings, branding. After contract end we hold for 30 days for accidental-cancellation recovery, then hard-purge from primary, replicas, and backups. We can issue a written purge confirmation if your DPA requires one.