Security & Trust
EU-first by design. GDPR-clean. SOC 2 in progress.
🇪🇺
EU data residency
OVH Gravelines + Roubaix, EU only.
✓
GDPR & DPA
DPA on demand. Article 28 compliant.
⏳
SOC 2 Type II
In audit Q3 2026 with Vanta.
✓
ISO 27001 mapping
Every finding mapped to Annex A controls.
Subprocessors
| Vendor | Purpose | Region |
|---|---|---|
| OVHcloud | Compute, K8s, Postgres | EU (Gravelines/Roubaix) |
| Cloudflare | DNS, CDN, DDoS | Global edge |
| Anthropic | LLM (Claude) | EU region opt-in |
| OpenAI | LLM (fallback) | EU region opt-in |
| Mistral AI | LLM (EU-native) | EU (Paris) |
| Stripe | Billing | EU + US |
| Plausible | Privacy analytics | EU (Germany) |
| PostHog | Product analytics | EU |
| Resend | Transactional email | EU + US |
| Loops | Lifecycle email | US |
Last updated: 2026-05-17 · Subscribe to changes: Reveal security contact
Reporting a vulnerability
Found a security issue? Please email Reveal security contact with PoC. We respond within 48h. Coordinated disclosure 90 days. We do not pursue legal action against good-faith research.
Public PGP key + policy: /.well-known/security.txt
Live status: status.blaast.app