Security & ComplianceLast reviewed Feb 2026

EU-hosted. GDPR-ready.
Built for compliance.

SocialRouter runs entirely within the European Economic Area. Your data never leaves EU borders — not for storage, not for processing, not for backups. Infrastructure, encryption, and audit trails designed for regulated industries.

EU data residency
AES-256 encryption
7-year audit retention
GDPR Art. 28 DPA
Talk to our security teamsecurity@socialrouter.eu →

Every control,
verified.

We maintain a security baseline that every deployment must pass before serving production traffic. Controls are audited on every release — not just at certification time.

  • Controls audited on every release
  • Automated drift detection in CI/CD
  • Results published on status.socialrouter.eu
security-baseline.shLIVE
$ socialrouter security verify --baseline
EU-only data residency
AES-256-GCM at rest
TLS 1.3 in transit
GDPR Art. 28 DPA available
7-year immutable audit logs
Scoped API key model
72h breach notification
Zero-knowledge credential storage
ALL CHECKS PASSED8/8

Security by design.

Six pillars that make SocialRouter safe for financial services, healthcare, and regulated industries.

Data Residency

  • All data stored in EU (Frankfurt / Amsterdam)
  • No processing outside the EEA
  • Backups replicated within EU boundaries
  • Contractual data residency guarantees

Encryption

  • AES-256-GCM encryption at rest
  • TLS 1.3 minimum on all endpoints
  • HSTS enforced, HPKP on key routes
  • OAuth tokens encrypted with per-tenant keys

Access Control

  • Scoped API keys with least-privilege model
  • Per-user and per-key permission granularity
  • Key rotation without downtime
  • IP allowlist per API key (Enterprise)

Audit Logging

  • 7+ year retention per EU accounting rules
  • WORM-compliant immutable log storage
  • Every API call, auth event, and config change
  • Export in CSV / JSON for compliance audits

GDPR Compliance

  • Data Processing Agreement (DPA) available
  • Right to erasure fulfilment pipeline
  • Data portability export on request
  • Privacy-by-design architecture throughout

Incident Response

  • 72-hour breach notification (GDPR Art. 33)
  • Security team on-call 24/7
  • Responsible disclosure program
  • Post-incident public reports
European Hosting
Microsoft Azure — EU regions only
Frankfurt, DE
Primary region · Germany West Central
ONLINE
Amsterdam, NL
Failover region · West Europe
ONLINE

Data sovereignty guaranteed by contract. No replication to third countries per GDPR Chapter V.

Infrastructure

Your data never
crosses EU borders.

We operate exclusively on Microsoft Azure within EU regions. Primary compute in Frankfurt, with automated failover to Amsterdam. Every database, every object store, every log stream — EU-only.

  • Geo-redundant storage within EEA only
  • Azure confidential computing where available
  • No CDN caching of personal data
  • Tenant isolation via dedicated VNet per account

GDPR isn't a checkbox.
It's our default.

DPA Available

Art. 28-compliant Data Processing Agreement included for all paid plans.

Data Portability

Request a full export of your data in machine-readable format at any time.

Right to Erasure

Deletion requests processed within 30 days, with written confirmation.

72h Notification

Breach notification to supervisory authority within 72 hours per Art. 33.

Roadmap

SOC 2 Type II
in progress.

We're working towards SOC 2 Type II certification. Until then, our EU data sovereignty and GDPR compliance provide the legal basis most European customers need.

Expected audit window: Q4 2026. Need a security questionnaire? Contact us.

Security policies documented
Audit logging infrastructure
Vendor risk assessment
Formal penetration test
SOC 2 Type I audit
SOC 2 Type II audit

Security questions?
We have answers.

Share your security questionnaire, request our DPA, or book a call with our infrastructure team.

Book a security callsecurity@socialrouter.eu →