TRANSPARENCY

What we do. What we don't.

Specifics, not assurances. Numbers, not adjectives.

At a glance
100%
Data stored and processed in the EU
10
Sub-processors, each under a DPA
72h
Personal-data breach notification commitment

What the AI sees.

Clair processes the inputs you provide, URLs, configurations, policy drafts, supplier lists. She uses that to compose summaries, drafts and recommendations.

AI sees

URLs you connect; configuration of integrations you authorise; documents you upload; questions you ask in-product.

AI does not see

Your customers' personal data unless you explicitly include it; data from systems you didn't connect; anything we'd need to actively go fetch, we don't.

Where your data lives.

Location

All data stored and processed in the EU. Vercel EU-Frankfurt for application hosting, Supabase EU-Frankfurt for the database.

Encryption

TLS 1.3 in transit. AES-256 at rest. Postgres column-level encryption for sensitive fields (API tokens, integration secrets).

Isolation

Postgres row-level security per tenant. Your queries cannot reach another tenant's rows. Tested in CI.

Sub-processors.

The full current list, with what each one does and where. We give 30 days' notice before any change.

Sub-processorWhat it does, where, and on what basis
VercelApplication hosting and edge runtime (EU-Frankfurt region), plus cookieless Vercel Web Analytics for aggregate marketing-site traffic statistics. DPA in place.
SupabasePostgres database, authentication, file storage. EU-Frankfurt. DPA in place.
OpenAIEmbeddings, entity extraction, advisor chat. US-based; SCCs Module 2, plus the EU-US DPF where OpenAI's certification applies. No-train API tier. Migration to self-hosted embeddings before broader rollout (see roadmap).
AnthropicClaude models for heavy reasoning and policy drafts. US-based; SCCs Module 2. No-train commitment under Anthropic's API terms.
FirecrawlWeb crawling for the scanner agent (public web pages of domains you authorise). US-based; SCCs Module 3 (sub-processor-to-sub-processor crawling).
Brave SearchOSINT lookups for the scanner. US-based; SCCs Module 2. Used only with anonymised query terms; no customer identifiers sent.
StripeSubscription billing. Ireland-based EU entity. PCI-DSS Level 1. DPA in place; SCCs for any onward transfers.
ResendTransactional email provider. The marketing-site demo form now submits to HubSpot, and product transactional email is sent by Supabase Auth directly, so Resend is configured but not currently in active use. When used it dispatches from the EU region (Ireland); account data and logs are US-based. SCCs Module 2 plus DPA in place.
SentryApplication error tracking. Org-region configurable; we run on the EU instance. PII-scrubbing rules drop tokens, emails, and free-text content before events leave the app.
HubSpotCRM. The marketing site's /contact demo-request data is submitted server-side to HubSpot's Forms API, no HubSpot scripts or cookies load in your browser. Form and contact data use HubSpot's EU data region (eu1); HubSpot Inc. is US-based, so account-level data relies on SCCs Module 2 plus the EU-US Data Privacy Framework where HubSpot's certification applies. DPA in place.

Security measures.

Authentication

OAuth + email/password with optional MFA. Supabase Auth. Sessions rotate every 24 hours.

Row-level security

Every table has a tenant_id and an RLS policy. Policies tested in CI. The cost of a bug is bounded.

Monitoring

Application logs to a centralised store, retention 90 days. Anomaly alerts to oncall. Vercel WAF in front.

Incident response

Documented runbook. 72-hour notification commitment for personal-data breaches. Annual tabletop.

SDLC

Code review on every PR. Dependency scanning. Static analysis. Annual penetration test.

Open standards

Open-source dependencies tracked. Vulnerabilities triaged within 7 days for critical, 30 days for high.

The short version.

Your data is yours. EU only. Encrypted. Separated. Logged. Watched. If you want a deeper specific answer, mail team@air-tools.nl, we have it.

FAQ

Do you train models on my data?
No. We use general-purpose language models (Anthropic Claude, OpenAI). Customer data is not sent to provider training pipelines. We use "no-train" tiers where they exist.
Which LLM providers do you use?
Anthropic for the heavy reasoning. OpenAI for embeddings and lighter completions. Both are US-based and accessed under SCCs (plus the EU-US DPF where the provider is certified); we use EU-region endpoints where a provider offers them.
What happens when I cancel my account?
Account access ends immediately. Data is exportable for 90 days. After 90 days, data is deleted from primary storage and rolls out of backups within 35 days.
Can I audit you?
Yes. Customers on Business+ can request a completed security questionnaire and a summary of our most recent penetration test.
Will you tell me when sub-processors change?
Yes. 30-day notice via email and on this page. You can object; if we can't accommodate, you can cancel without penalty.

More questions? Mail us.

We answer specifics. team@air-tools.nl.

Talk to a humanRead about us