Security is our Foundation
Built for the regulated tender workflows our customers run. Honest about where data lives, what we use, and what we don't do.
Data Residency
Production runs on Google Cloud in europe-west1 (Belgium). For Australian customers we operate a dedicated stack in australia-southeast1 (Sydney) — documents, vector embeddings, application database, and audit logs stay in Sydney. AI inference currently uses Vertex AI's global Gemini endpoint pending regional Pro-model deployment.
No Foundation-Model Training
Customer documents are sent to Google Gemini for analysis only. Per Google's Generative AI terms, paid-tier prompts and responses are not used to train Google's foundation models. We don't send documents to any other AI provider.
Encryption
TLS 1.3 in transit. Encryption at rest provided by Google Cloud (AES-256) for AlloyDB and Cloud Storage. Database access uses IAM-authenticated short-lived tokens, not long-lived passwords.
How We Handle Your Data
What We Store
- Account details (email, name, company) in AlloyDB
- Analysis results, drafts, and metadata
- Billing records (Stripe customer + subscription IDs only — never card numbers)
- Uploaded documents in Google Cloud Storage, encrypted at rest
What We Never Do
- ✕ Send your documents to a foundation-model provider for training
- ✕ Sell or share customer data with third parties for marketing
- ✕ Co-mingle one customer's Bid Library with another's
- ✕ Retain documents indefinitely after account deletion
Security FAQ
Compliance Posture
We're a small team — we'd rather be honest about where we are than claim badges we haven't earned.
GDPR aligned
Personal data handling, lawful basis, data subject rights, and EU residency.
Inheriting Google Cloud's certifications
Our hosting provider holds ISO 27001, ISO 27017/27018, SOC 2/3, PCI DSS, and others. These cover the underlying infrastructure layer; the application layer is our responsibility.
Container vulnerability scanning in CI
Every backend image is scanned by Trivy on push. Builds fail on critical CVEs.
Secret scanning + Cloud Armor
GitHub secret scanning + gitleaks pre-commit. Cloud Armor edge rules block scanner traffic and rate-limit per IP.
SOC 2 / ISO 27001 — not yet
Independent audits are on the roadmap as the team grows. In the meantime we're happy to walk procurement teams through our setup over a call.
Sub-Processors
| Provider | Purpose | Location | Data Handled |
|---|---|---|---|
| Google Cloud Platform | Compute (Cloud Run), database (AlloyDB), object storage (GCS), KMS, Vertex AI Gemini endpoint | europe-west1 (Belgium) primary; australia-southeast1 for AU customer data at rest; Vertex AI global endpoint for inference | Encrypted documents, application database, user metadata. Inference requests transit to Google's nearest available region for the chosen Gemini model |
| Google Gemini API | Document analysis (extraction, compliance, drafting) | Google AI processing region (EU endpoint) | Document text sent at request time; not used to train Google's foundation models per Generative AI terms |
| Stripe | Payment processing | EU (Dublin) + global | Customer billing details and card data — handled by Stripe; we never see card numbers |
| Resend | Transactional email delivery | EU/US | Email addresses and message content for product notifications |
| Sentry | Error tracking and performance monitoring | EU (Frankfurt — de.sentry.io) | Stack traces, request paths, user IDs (no document content) |
| PostHog | Product analytics (frontend usage) | EU (Frankfurt) | Anonymised event data on UI interactions; no document content |
Have a security or procurement question? contact@ailucius.com