Trust
The procurement-officer page.
This page exists for procurement, security, privacy, and legal reviewers. It enumerates everything you would otherwise email asking for. It is rebuilt on every YAML change and the last-updated timestamp at the top of the page is the latest content modification, not a build timestamp.
1. Sub-processors
| Sub-processor | Purpose | Jurisdiction | Audit basis |
|---|
Data categories per sub-processor (full detail)
Notification policy
2. Data residency
All inference processing, all stored receipts, and all stored ledger metadata reside within the European Economic Area. We do not transfer customer prompt or completion content to any third country under any circumstance. Edge networking uses EU-located Cloudflare points of presence; the small number of US-resident control-plane operations attached to third-party vendors handle operational metadata only and are covered by EU SCC 2021/914 where required.
| Component | Regions | Residency |
|---|---|---|
| Inference compute (primary) | Scaleway PAR-1 (France), Scaleway PAR-2 (France) | France |
| Inference compute (low-carbon path) | atNorth STO-1 (Sweden), atNorth ISL-1 (Iceland) | Sweden / Iceland (EEA) |
| Inference compute (redundant) | OVHcloud GRA (France), OVHcloud RBX (France) | France |
| Gateway (API surface) | OVHcloud GRA (France) | France |
| Storage (receipts, ledger) | OVHcloud GRA local SQLite primary, Cloudflare R2 EU replicas | EU |
| Edge / TLS / DNS | Cloudflare EU edge POPs | EU edges for customer traffic |
Guarantee
Customer prompt and completion content remain in the EU/EEA throughout their lifetime. There is no third-country processor in the active inference data path.
Exceptions
None at this time. If we ever need to add a non-EU/EEA processor for any reason, we will give advance notice, document the transfer mechanism, and update this page with a dated change-log entry.
3. Encryption
We follow defence-in-depth for encryption: in-transit at all hops, and at-rest where the underlying platform provides it. We do not maintain customer-managed keys (BYOK) at this time.
In transit
- Client -> API edge TLS 1.3 only
- TLS 1.2 and below disabled
- HSTS enabled
- Certificates rotated automatically
- API edge -> Gateway Cloudflare tunnel / private service path
- Origin is not exposed directly to the public internet
- Gateway -> Inference provider TLS 1.3 (provider native)
- Each upstream provider terminates TLS at its own endpoint
- Gateway -> Storage TLS 1.3 where applicable
- R2 access uses signed S3-compatible requests over TLS
- Litestream ships SQLite snapshots and WAL segments to R2 over TLS
At rest
- Receipts (replicated copies)
- Mechanism: Cloudflare R2 managed encryption at rest
Key management: Managed by Cloudflare R2 - Ledger metadata primary
- Mechanism: SQLite primary on EU VPS volume
Key management: Host access controls on the primary runtime - API credentials
- Mechanism: Argon2id hashing with per-token salt
Key management: Bearer tokens are never stored in plaintext after issuance
Notes
- Prompt and completion content is processed in transient memory only and is not persisted to disk in the default path.
- The launch architecture uses a local SQLite primary on the OVHCloud VPS plus Litestream replication to Cloudflare R2. Remote libSQL/Turso is a staged future track, not the active production data path.
- Customer-managed keys and application-layer database encryption are not yet offered.
Disabled cipher suites
TLS 1.0TLS 1.1TLS 1.2RC43DESNULL / export-grade ciphers
4. Retention
Our retention posture is encoded in Article V of our Articles of Association as a constitutional commitment, not as a marketing policy. Customer prompt and completion content is processed in transient memory. Receipts and ledger metadata are retained for seven years per CSRD evidence-retention norms.
| Asset class | Retention | Backup retention | Deletion |
|---|---|---|---|
| Customer prompt content | Transient (in-memory only; <=24h) | None | Automatic at request completion |
| Customer completion content | Transient (in-memory only; <=24h) | None | Automatic at request completion |
| Receipt (per-query environmental record) | 7 years | 7 years (replicated copies) | Automatic 7 years after creation |
| Ledger metadata (quarterly aggregates) | 7 years | 7 years | After regulatory retention period expires |
| API credentials (bearer tokens) | Until revocation | Hashed credential records retained 90 days post-revocation | On customer request or 90 days post-revocation, whichever later |
| Account information (customer admin) | Duration of customer relationship + 7 years | Standard backup cadence | On customer request post-relationship, except where retention is legally required |
| Operational logs (request metadata) | 30 days | None beyond 30 days | Automatic rolling deletion |
Per-class notes
- Customer prompt content
- Bodies are not written to durable storage in the default path.
- Customer completion content
- Same posture as prompt content.
- Receipt (per-query environmental record)
- Receipts contain no prompt or completion content. The launch replica path is SQLite primary plus Litestream copies in Cloudflare R2.
- Ledger metadata (quarterly aggregates)
- Aggregated for ESRS E1-6, E3-1, E5-1 disclosure. No prompt or completion content.
- API credentials (bearer tokens)
- Tokens are stored hashed. The plaintext token is available only at issuance.
- Account information (customer admin)
- Standard B2B SaaS retention.
- Operational logs (request metadata)
- Includes timestamp, request id, endpoint, status code, duration, and model. No prompt or completion content.
Opt-in extended retention
Longer receipt retention is available only by explicit written opt-in. Marketing-purpose retention is not permitted under any tier.
Deletion request
Customers may request deletion of retained data at any time by emailing [email protected]. We acknowledge within 24 hours and complete within 30 days unless statutory retention applies.
Proof of deletion
On request we provide a signed deletion certificate referencing the asset class, deletion date, deletion mechanism, and operator.
5. GDPR posture
For B2B Audit-tier API customers, Vetted Inference acts as a data processor; the customer is the data controller. For Selma consumer subscribers, Vetted Inference acts as the data controller. This page summarises both relationships and the workflows for data subject requests.
Roles
| Context | Vetted role | Customer role | Mechanism |
|---|---|---|---|
| B2B Audit-tier API | Processor | Controller | GDPR Art. 28 Data Processing Agreement (DPA) signed at contract |
| Selma consumer subscription | Controller | Data subject (the user) | GDPR Art. 13/14 information notice in the Selma privacy notice |
Data subject rights
| Right | Response target | Workflow |
|---|---|---|
| Access (Art. 15) | Within 30 days | Email [email protected] (consumer) or [email protected] (enterprise admin). Identity verification required for consumer. |
| Rectification (Art. 16) | Within 30 days | Same as access. |
| Erasure (Art. 17) | Within 30 days; deletion certificate signed | Same as access. Statutory retention exceptions documented in the response. |
| Restriction (Art. 18) | Within 30 days | Same as access. |
| Portability (Art. 20) | Within 30 days; structured JSON export | Selma exports include conversation history (where retained on-device, exported by client app), receipts, ledger entries. API exports include receipts, evidence packs. |
| Object (Art. 21) | Within 30 days | Standard. |
| Withdraw consent (Art. 7) | Immediate cessation of consent-based processing | In-app toggle for Selma; email for API. |
Controller responsibility (B2B)
For Audit-tier API customers (B2B), the customer is the controller and is responsible for handling data subject rights for end users of the customer's own product. Vetted Inference will, on request from the controller, assist in responding to data subject requests within the response targets above (per Art. 28(3)(e)). The DPA documents this assistance obligation.
Data breach notification
- To controller: We notify the customer (where they are controller) within 24 hours of awareness of a breach affecting their data.
- To authority: We notify the relevant supervisory authority (the Swedish IMY) within 72 hours of awareness, where required.
- To users: For consumer (Selma) breaches affecting individuals, direct notification to affected users within 72 hours.
Supervisory authority
Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten / IMY). Address: Box 8114, 104 20 Stockholm. Email: [email protected].
Data Protection Officer
Data Protection Officer: [email protected]
We have appointed a DPO from inception. The DPO is reachable directly; correspondence is treated as confidential under the meaning of Art. 38(5).
International transfers
Customer prompt and completion content does not leave the EU/EEA. Some operational metadata (control-plane interactions with Stripe parent and Turso control plane) reaches the US, covered by EU Standard Contractual Clauses 2021/914. We monitor the EU-US Data Privacy Framework status and will adjust as necessary; SCCs remain in place as a backstop.
6. Data Processing Agreement
The Data Processing Agreement (DPA) is the GDPR Art. 28 contractual document governing our role as processor for B2B Audit-tier API customers. The DPA is part of the service contract; signing the service contract activates the DPA. We do not require a separately signed DPA, though some customers' procurement processes do; we accommodate either flow.
Template: v1.0 (last updated )
Standard signing path
Standard path for most B2B customers
- Service contract signed (includes DPA by reference)
- DPA template attached as Annex A
- Sub-processor list attached as Annex B (live-linked to this page)
- Customer points-of-contact for breach notification recorded as Annex C
Enterprise redline path
Enterprise-tier customers may submit redlines
- Customer submits redline DPA (DOCX preferred)
- We review within 5 business days
- Areas where we hold firm: sub-processor list, retention defaults, audit cadence, EU residency, applicable law
- Areas where we negotiate: response-time SLOs, breach-notification timelines tighter than 24h, enterprise-specific Annex C contacts, custom indemnity language
- Final negotiated DPA signed via DocuSign or counter-sign-by-exchange
What is in the DPA
- Subject matter and duration of processing
- Nature and purpose of processing (inference compute and per-query environmental accounting)
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- Confidentiality obligations on processor personnel
- Security of processing (Art. 32)
- Sub-processor authorisation and notification (Art. 28(2))
- Data subject rights assistance (Art. 28(3)(e))
- Breach notification timelines (24h to controller; 72h to authority where applicable)
- Data deletion / return at end of processing
- Audit and inspection rights
- International transfer mechanisms (SCCs as required)
- Liability and indemnification
- Governing law (Sweden) and dispute resolution
Audit rights
Standard: Annual third-party audit report shared on NDA (ISO 27001 statement of applicability, sustainability assurance opinion under ISAE 3000).
Enterprise: On-site or remote audit by customer-designated auditor at customer cost; coordinated through Vetted Inference DPO with reasonable notice. Limited to one audit per twelve-month period per customer absent material change.
Contact: [email protected]
12. Steward-ownership status
Current state:
Filing status
| Item | Status | Reference |
|---|
Share classes
| Class | Description | Holder / Status |
|---|
Constitutional Commitments
References
What we are not
13. Constitution
The full text of the consumer-product Constitution (twelve principles governing Selma) is published at https://vetted.eco/governance and in the open-source repository.
The corporate Articles of Association (eight Constitutional Commitments encoded as legal text) are published at github.com/vetted-inference/infrastructure/legal.
The engineering mapping from each Article to the code that enforces it is published as ADR-0003 (Charter-to-Code).