Kustiq
Profile a company free
Trust & Security

Trust, in writing. Auditable, dated, link-checked.

Live statusUpdated

Kustiq is operated by Analytics Lab S.R.L. from Bucharest. EU workers run on Hetzner in Germany, the database is in Supabase us-east-1, and AI inference runs through Anthropic under a no-training clause.

SOC 2
Not pursuedControls table · §2
Data residency
EU workers · US DBHetzner DE · Supabase us-east-1
AI training
No, contractualAnthropic API · no-train
Material incidents
None to dateSee /status

§1Certifications & frameworks

Status with what we have today and what is on the roadmap. Where we have not pursued a framework, we say so and explain what we offer instead.

SOC 2
Not pursued. No SOC 2 audit on the roadmap for 2026. We map equivalent controls to the table in §2 and respond to vendor questionnaires in 2 business days.
ISO 27001
Not pursued in 2026. Mapping kept current against Annex A. Considered for 2027 once the team is at least four people.
GDPR
In effect. DPA available, signed countersigning by email takes one business day. Article 17 erasure runbook live.
EU-US transfers
SCCs (2021/914) plus UK addendum with all US sub-processors. DPF certification not separately filed.

What we have today, and what is on the roadmap

Procurement teams want a yes-or-no on each framework with a date attached. That is what this card is. Anything you do not see here, treat as “not pursued”; do not infer.

Not pursued

SOC 2 Type I / II

Not on the 2026 roadmap. We respond to SIG-Lite, CAIQ-Lite, and vendor questionnaires in two business days.

Equivalent · controls table §2
DPA path · /dpa
Trigger to revisit · enterprise contract demand
Not pursued

ISO 27001

Not pursued in 2026. Mapping kept current against Annex A.

Earliest start · 2027
Trigger · team > 4
Annex A mapping · maintained
In effect

GDPR

DPA on request. Article 17 erasure runbook live.

Contact · support@kustiq.com
Lead authority · ANSPDCP, RO
Subject rights SLA · 30 days
Self-attested

EU-US Data Privacy Framework

SCCs in place with US sub-processors. DPF certification not separately filed.

Mechanism · SCCs · 2021/914
UK addendum · included
Sub-processor list · §4 below

Need our security questionnaire? We respond to SIG-Lite, CAIQ-Lite, and standard vendor-risk forms within two business days. Send yours to support@kustiq.com with the subject “Security questionnaire”.

Send your form

§2Controls

Eight controls covering identity, data, network, and operations. Each row links to the place you can verify it.

MFA
Required on the founder console and every sub-processor admin panel. WebAuthn preferred where supported.
Data at rest
AES-256 via Supabase. pgcrypto for OAuth tokens and webhook secrets at the column level.
Data in transit
TLS 1.3 only. HSTS preload. Strict-Transport-Security: max-age=63072000.
Backup & restore
Supabase point-in-time recovery, 7-day window. Daily logical backups encrypted at rest.
External pentest
None scheduled in 2026. Founder code review on every merge to main. Snyk + Dependabot run weekly.
Incident notice window
72 h for material incidents per GDPR Art 33. Post-mortem within 7 days.
ControlHow it is implementedHow you verify
Identity & accessSupabase Auth, WebAuthn for the founder console. SSO-compatible on Pro. Sub-processor admin panels behind hardware keys. API keys stored as SHA-256 fingerprints, never plaintext.security.txt
Data residencyDatabase in Supabase US-east. API workers on Hetzner in Germany (EU). Inference traffic to Anthropic terminates in US-east under SCCs (2021/914) plus UK addendum.DPA · transfers
EncryptionAES-256 at rest. TLS 1.3 in transit, HSTS preload. pgcrypto for OAuth tokens and webhook secrets. Keys rotated annually or on suspected compromise.SSL Labs · HSTS preload
Application securityCSP, Subresource Integrity, signed webhooks (HMAC-SHA256). Dependabot weekly. Founder code review on every merge to main. Role-based access control with six permissions.securityheaders.com
Logging & monitoringStructured application logs retained 90 days. Auth and admin events archived for 13 months. All production access is logged per session.DPA · technical measures
Backup & recoverySupabase point-in-time recovery, 7-day window. Daily logical backups, encrypted at rest. VPS automated daily snapshots.DPA · retention
Incident response72 h notify-window for material incidents per GDPR Art 33. Post-mortem published within 7 days. Notice routes to the billing and security contacts on file.DPA · breach notification
Status & uptimeLive UptimeRobot monitoring on web, API, and database queues. Public history with rolling 30-day uptime by service. Page refreshes every 5 minutes./status

§3Data handling

What we collect, where it lives, how long it stays, and what AI sees.

Customer data
You own your inputs and outputs. We process them only to run the Service.
AI training
No. Anthropic API runs under a contractual no-training clause. We run no training pipeline of our own.
Retention
Account data while active. 30 days grace after deletion, then GDPR Art 17 erasure.
Suppression list
Indefinite. Lawful basis for honouring opt-outs · GDPR Art 17(3)(b).
Plain EnglishCustomer data lives in Supabase US plus Hetzner EU and never trains a model. Anthropic sees prompts and outputs to do the inference and does not retain them past its 30-day abuse-monitoring window. Sub-processors get the minimum each one needs.

What we collect. Account fields (email, organisation, billing contact), domains and ICP configurations you submit, generated profiles and outreach drafts, support and product-event telemetry, and OAuth tokens for the integrations you connect. Nothing else.

Where it lives. The primary database is Supabase Postgres in us-east-1. API workers and pipeline queues run on Hetzner in Germany (EU). Inference traffic to Anthropic terminates in us-east-1 under SCCs (2021/914) plus the UK addendum; no customer payload is retained server-side beyond Anthropic’s 30-day abuse-monitoring window.

Retention. Account data persists for the lifetime of your account. After deletion you have 30 days to export from Billing. After 30 days the GDPR Article 17 erasure runbook deletes account rows, customer data, OAuth tokens, and per-customer logs. Aggregated, anonymised metrics that drive product reliability persist beyond deletion, as described in our Terms §11.

AI training. Kustiq does not use customer inputs or outputs to train, fine-tune, or improve any AI model. Inference goes to Anthropic under their Commercial Terms, which prohibit training on API inputs and outputs. We run no training pipeline of our own.

§4Sub-processors

Twelve vendors, alphabetical. Each card links to the vendor’s DPA. Material additions get 30 days’ email notice and a documented right to object.

Total
12 sub-processors. Listed below alphabetically.
Notice on change
30 days email notice for material additions. Right-to-object retained.
SCCs
Module 2 (controller-to-processor) for all US sub-processors. UK addendum included.
Anthropic US-east
LLM inference for profile generation, qualification, and outreach drafts. Contractual no-train.
DPA Security
Browserless EU/US
Headless-browser rendering for JS-required public-web fetches. No customer data leaves the page payload.
DPA Privacy
Cloudflare global edge
Turnstile bot defense on public abuse-prone endpoints (anonymous /try, signup). Receives a short-lived token plus the visitor IP.
DPA Privacy
Google Workspace US/EU
Business email (alex@, support@) and customer-support communications. Inbox content scoped per role.
DPA Security
Hetzner EU-fra
API server hosting and pipeline workers. EU-only region (Falkenstein / Helsinki).
DPA Security
HubSpot EU/US
Optional CRM sync target for prospects exported from Targeted Outreach. OAuth scopes shown at connect time.
DPA Security
Resend US
Transactional email (auth, billing, onboarding). Bounce and complaint logs retained 30 days.
DPA Security
Saleshandy US
Outbound email delivery for Targeted Outreach. Per-mailbox signatures, no shared pool.
DPA Privacy
Serper US
Search-engine result API for the discovery phase of the pipeline. Queries logged 24 h.
DPA Privacy
Stripe global
Subscription billing, card vaulting, dunning. Card numbers handled by Stripe under PCI-DSS, never seen by Kustiq.
DPA Security
Supabase US-east
Primary Postgres store, object storage, auth. Point-in-time recovery, 7-day window.
DPA Security
Vercel global edge
Frontend hosting, CDN, serverless functions for the marketing + dashboard surfaces.
DPA Security

§5Verify yourself

Three places to check the claims on this page without taking our word for any of it.

Status page
Public history. /status. UptimeRobot feed, refreshes every 5 minutes.
Headers
HSTS preload, CSP, COOP, CORP. Inspect at securityheaders.com.
No third-party trackers
DevTools network tab on any page. Filter for google.com or facebook.com. Zero results.
Live status/statusWeb · API · DB · 30-day historyExternal scansecurityheaders.comCSP · HSTS · COOP · CORPDisclosure path/.well-known/security.txtContact · scope · acknowledgement

§6Incident history

Material incidents only. We define material as anything triggering a GDPR Art 33 notification or sustained downtime above 30 minutes.

0Material data incidents to date

Zero material data incidents.

No incident has triggered a GDPR Art 33 notification. Live uptime, planned maintenance, and any operational events appear on /status. Material incidents trigger an email to the billing and security contacts on file within 72 hours, followed by a public post-mortem within 7 days.

§7Procurement questions, answered

Six questions that appear in every vendor-risk form. Each answer stands alone.

Is Kustiq SOC 2 compliant?

Kustiq has not pursued SOC 2 in 2026. The full controls catalogue and current implementation status are on this page in §2. We respond to SIG-Lite, CAIQ-Lite, and standard vendor-risk questionnaires within two business days. Email support@kustiq.com with your form attached.

Where is customer data stored, and does it leave the EU?

The primary database runs on Supabase in us-east-1. API workers and pipeline queues run on Hetzner in Germany (EU). Inference traffic to Anthropic terminates in us-east-1 under SCCs (2021/914) plus the UK addendum. No payload is retained server-side beyond Anthropic’s 30-day abuse-monitoring window.

Does Kustiq train AI models on our data?

Kustiq does not use customer inputs or outputs to train, fine-tune, or improve AI models. Inference goes to Anthropic under their Commercial Terms, which prohibit training on API inputs and outputs. We run no training pipeline of our own.

Can we get a signed DPA, and what is your sub-processor change policy?

Our standard DPA is on the /dpa page; signed countersigning by email takes one business day. Material additions to the sub-processor list are announced by email to the billing contact at least 30 days before they take effect, with a documented right to object that pauses the addition for your tenant.

What happens to our data if we cancel?

You have 30 days from cancellation to export everything from Billing. After 30 days the GDPR Article 17 erasure runbook deletes account rows, customer data, OAuth tokens, and per-customer logs. Aggregated, anonymised metrics persist beyond deletion as described in Terms §11. Email addresses you marked as suppressed remain on the global suppression list under Art 17(3)(b).

Has Kustiq had a security incident, and how would we be notified?

No incident to date has triggered a GDPR Art 33 notification. Material incidents trigger an email within 72 hours per Art 33, routed to the billing and security contacts on file, followed by a public post-mortem on /status within 7 days.

For security review

Talk to the founder, not a help desk.

Email me directly with your security questionnaire, controls table follow-ups, or DPA edits, and I will answer the same business day.

Alex · founder · Bucharest, RO · GMT+3
Email founder · alex@kustiq.comSend a questionnaire
· DPA countersigned same business day
· SIG-Lite / CAIQ-Lite returned in <48 h
· Custom questionnaires welcome