Production-grade. ISO 27001-aligned. EU-sovereign by default.
The technical and data-handling evidence your architecture and security review needs — verifiable, documentable, and built in from layer one.
Evidence, not assurances.
Verifiable, documentable security posture — every claim below is backed by an artifact your team can file.
ISO 27001
Information-security management certified and audited — controls mapped to Annex A, evidenced on request.
GDPR-native
Privacy-by-design and by-default. Lawful-basis mapping, DPIA support, data-subject workflows built in.
SOC 2-aligned controls
Security, availability and confidentiality controls aligned to SOC 2 trust criteria.
Independent pen-testing
Annual third-party penetration testing and continuous dependency scanning across the stack.
Your data stays under European jurisdiction.
Production data is EU-resident by default and outside the reach of the US CLOUD Act. For the highest-trust workloads we deploy inside your own perimeter.
No black boxes. No silent hops.
You can see exactly where data goes, why, and under what control — the answer to the opaque-AI-data-flow fear.
Governed data contracts
Every data movement is an explicit, documented contract. No silent multi-provider relays, no shadow copies. Your DPO can read the full map.
End-to-end lineage
Every model decision logs its inputs, version and policy gate — auditor-grade lineage you can replay, not a black box.
In transit & at rest
TLS 1.3 in transit, AES-256 at rest, customer-managed keys (BYOK/HYOK) where required.
Least-privilege access
Identity inherits from your IdP. Access is role-scoped, time-boxed and fully audited — no standing admin.
Four layers, governed end to end.
Security is architected in from layer one — not bolted on after the demo.
Identity & access
SSO via your IdP, SCIM provisioning, MFA, least-privilege RBAC, full access audit trail.
Network & perimeter
Private networking, segmented VPCs, WAF, secrets management, zero public model endpoints.
Data & governance
Classification, lineage, retention, DLP, and an AI risk register aligned to the EU AI Act tiers.
Model & ops
Eval gates, guardrails, prompt/version control, rollback, and human-in-the-loop policy where it matters.
A register your DPIA can cite.
Transparent, current and minimal. EU-resident by default; the full list is available under NDA.
| Sub-processor | Purpose | Region | Safeguard |
|---|---|---|---|
| Microsoft Azure (EU) | Primary cloud & compute | EU (West/North Europe) | EU data boundary · SCCs |
| Databricks (EU) | Data & ML platform | EU | EU residency · DPA |
| Self-hosted models | Inference (sovereign) | EU / customer perimeter | No external transfer |
| Full, current register provided under NDA on request · dpo@celthrac.com | |||
Defensible.By design.
Bring your security questionnaire. We answer with architecture and artifacts, not adjectives.