TRUST AND SECURITY
Security posture — facts only.
This page describes where your data is stored, who processes it, and what security controls are in place. No marketing, no certifications we have not earned.
Last updated: 2026-06-04
Compliance posture
Spekir is built toward SOC 2 Type 1 readiness. Evidence collection is scaffolded and controls are being implemented. We are not currently certified.
GDPR: We operate as a data processor under GDPR. Processor obligations are met. A Data Processing Agreement (DPA) is available on request.
ISO 27001: Not planned at this stage. We will revisit when business scale and customer requirements make it the right investment.
Hosting & data residency
| Application hosting | Vercel — Frankfurt, EU (eu-central-1 / fra1) |
| Database | Neon PostgreSQL — Frankfurt, EU (eu-central-1) |
| Data at rest | All customer data stored in EU regions. No customer data leaves the EU at rest. |
| Build secrets | Stored in Vercel environment variables — never in source code |
| CDN edge nodes | Vercel Edge Network — requests served from nearest PoP, data pinned to Frankfurt |
Authentication
| Provider | NextAuth v5 — self-hosted, no third-party identity broker |
| Methods | Email + password (bcrypt hashed), Google OAuth |
| Sessions | Stored in Neon PostgreSQL (same EU region). JWT-signed server sessions. |
| 2FA / MFA | TOTP-based 2FA available in Settings → Security |
| SSO / SAML | In progress — planned Q4 2026 |
| SCIM provisioning | Planned Q4 2026 |
Encryption
| In transit | TLS 1.3 enforced on all endpoints. HSTS enabled with 1-year max-age. |
| At rest | AES-256 managed by Neon (transparent encryption at storage layer). BYOK on roadmap Q3 2026. |
| Secrets & API keys | Vercel environment variables — injected at build time, never stored in git or logs |
| User API keys | Hashed with bcrypt before storage. Raw key shown once at creation only. |
Backups & data retention
| Automated backups | Neon point-in-time recovery — 7 days on free tier, 30 days on Pro tier |
| Self-serve export | Workspace data export (JSON + CSV) available from Settings → Trust Dashboard |
| Deletion on request | Workspace data deleted within 30 days of verified deletion request |
| Audit log retention | 12 months, append-only. No deletion from application code. |
| Backup drill | Restore drill run quarterly against Neon child branch (not production). Evidence committed internally. |
Subprocessors
The following third parties process data on our behalf. We review subprocessors regularly and notify customers of material changes.
| Processor | Purpose | Region | DPA |
|---|---|---|---|
| Vercel | Application hosting and CDN | EU (Frankfurt eu-central-1) | DPA ↗ |
| Neon | PostgreSQL database hosting | EU (Frankfurt eu-central-1) | DPA ↗ |
| Anthropic | AI model inference (Claude)Zero data retention configured. Opt-out of model training enforced via API agreement. | US (no EU region available) | DPA ↗ |
| Resend | Transactional email delivery | US / EU | DPA ↗ |
| Stripe | Payment processing | EU (Ireland) | DPA ↗ |
| Langfuse | AI observability and tracing | EU (Frankfurt) — self-hosted | Internal |
| Inngest | Background job orchestration | US (no EU region) | DPA ↗ |
Need a DPA? Email hello@spekir.com — we will send the agreement within two working days.
Platform status
| Status page | In progress — planned for Q3 2026 at status.spekir.com |
| Uptime target | 99.5% monthly SLA |
| Incident notification | Workspace admins notified within 24h of confirmed incident. GDPR Art. 33 notification within 72h. |
| Vulnerability reports | Email security@spekir.com — see /security for full responsible disclosure policy |
Topic deep-dives
Security
TLS 1.3, AES-256 at rest, NextAuth v5, audit logs, and rate limits.
Security →Compliance
GDPR posture, EU AI Act roadmap, and SOC 2 progress.
Compliance →Data handling
How your data flows — from ingest through deletion.
Data handling →Incidents
Full history. No reported security incidents to date.
Incidents →Subprocessors
Vercel, Neon, Anthropic, and Resend — with regions and DPA links.
Subprocessors →Data residency
Where your data lives — Frankfurt-first, tri-state residency policy, AI compute location, and sub-processor details.
Data residency →AI data handling
How Atlas uses AI with your portfolio — what flows to AI providers, what doesn't, retention facts, and customer controls.
AI data handling →Contact
Security questions
For questions about our security posture, DPA requests, or data residency.
hello@spekir.comResponsible disclosure
Found a vulnerability? See our disclosure policy and safe harbour clause.
View /security policy →