Start free trial →
Security & compliance

Built EU-first.
Documented honestly.

No security-theatre badges. Just the actual posture: where data lives, how it's protected, and what we'll sign on paper.

Hosting & data residency

  • Primary infrastructure: Hetzner Cloud, Frankfurt (FSN1) data centre. EU-based provider, ISO 27001 certified.
  • Database: MariaDB, single primary in Frankfurt. Read replicas same region.
  • Object storage: Hetzner Storagebox in Falkenstein (FSN1), same region, separate availability zone.
  • Backups: encrypted (AES-256), daily, 30-day retention. Stored in Falkenstein (separate from primary). Quarterly restore-test.
  • No US transfer by default. The only outbound to US is the LLM-API call itself (OpenAI, Anthropic, Google), and only your prompt, no customer identifier.

Encryption

  • In transit: TLS 1.3 only, HSTS enforced (max-age 1y, includeSubDomains, preload).
  • At rest: AES-256 for database backups + object storage. Hetzner volume encryption for the primary disk.
  • Secrets: HashiCorp Vault for API keys + service credentials. No secrets in environment variables, no secrets in git.
  • Passwords: bcrypt cost 12. Never logged, never stored plain.

Authentication & access control

JWT with rotation

Access tokens 1h TTL, refresh tokens 30d TTL. Auto-rotation on every use. Keys live in Vault, rotated every 90d.

SSO via WorkOS

Google Workspace, Microsoft Entra, generic SAML 2.0. Optional Pro+ add-on. Per-workspace configuration.

2FA

TOTP (Google Authenticator, 1Password, Authy compatible) on every account. Mandatory for Agency plans.

Per-project permissions

Member-level access scoped to specific projects. Read / write / admin separation. Audit-logged.

Compliance & legal

  • GDPR: full compliance. DPA on request, right to data copy, account-deletion automated within 7 days.
  • DPA template: standard DPA available for signature. Custom DPA for Enterprise.
  • Sub-processor list: published, kept current. Any addition = 30 days customer notice.
  • Data Protection Officer: external DPO contractor. Contact via hello@runtruffle.com.
  • Cookie banner: strictly-necessary-only by default, no third-party trackers, no advertising scripts.

Operations & auditability

  • Audit log: every login, every API call, every project change. Retained 90 days; Enterprise plan: 1 year.
  • Rate limiting: 1000 req/h per API key (Pro), 5000 (Agency), custom (Enterprise). Configurable per workspace.
  • Monitoring: 24/7 uptime monitoring, internal Slack alerts. Status page at status.runtruffle.com.
  • Incident response: 4h response SLA for security issues. Critical incidents notified to affected customers within 48h per GDPR Art. 33.
  • Vulnerability disclosure: hello@runtruffle.com with subject "Security". We respond within 24h.

What we don't do

  • No advertising tracking. No Google Analytics on customer dashboards. Our own usage telemetry stays internal.
  • No data sale. Your tracking data stays in your workspace. No "anonymised industry benchmark" that monetises your data.
  • No US infrastructure by default. If you need it (rare), we can quote a US-region setup, but it's not the default.
  • No SOC 2 yet. Honest disclosure: we're not SOC 2 certified. Hetzner provides ISO 27001 + GDPR. SOC 2 audit planned for Q4 2026.

Talk to security

Need a DPA, a sub-processor list, a custom contract clause, or a security questionnaire filled out? Email hello@runtruffle.com with subject "Security review", we respond within 48h with a real human.

Ready when
your team is.

7-day trial with the full feature set. No credit card.

Start free →

Newcomer AI-Visibility Tracker — known from