No SOC 2. No ISO 27001. No SSO. No KMS. No bug-bounty. Not "in progress", just left off. When paying customer demand justifies the audit cost, we'll start one. Until then, here's what's actually true.
Every connection runs TLS 1.3 with strict cipher policies. HSTS is enforced. There is no fallback. Stored documents are encrypted at rest with AES-256.
Documents are processed and stored exclusively on infrastructure in the European Union. The primary is in Belgium, with Hetzner data centres in Germany and Finland. There is no cross-border replication. No US edge cache. No CDN that mirrors your PDFs.
Inference is served from machines we physically operate in Leuven, networked privately to our EU VPS. Your documents are never sent to OpenAI, Anthropic, Google, Mistral, or any external LLM provider. Those models cannot be trained on your content because no third party ever sees it.
A Data Processing Agreement is pre-signed and ships with every paid plan. Read it before you sign up. We process your documents only to provide the service; you remain the data controller; we don't share with third parties beyond the two sub-processors named below.
Hetzner for EU hosting and storage. Tailscale for private network coordination between our hardware and the EU VPS. No customer data transits Tailscale-controlled servers. That's the entire list. If we add a third, you'll hear about it before it ships.
We don't have a 24/7 NOC and we won't pretend to. We commit to best-effort acknowledgement within 24 hours of a confirmed incident, named contact in the same email, and a written post-mortem inside two weeks. SOC 2, advanced RBAC, and SSO are on the roadmap. We'll start that work when paying customer demand justifies it, not before.
If a third sub-processor is ever added, we'll notify every paying customer by email at least 30 days before any customer data flows through it.
| Provider | Region | Purpose |
|---|---|---|
| Hetzner Online GmbH | DE · FI | Hosting, storage, and database services for the Attera application and customer documents. EU-only data centres (Falkenstein, Germany · Helsinki, Finland); no replication outside the EU. |
| Tailscale Inc. | Coordination only | Private network coordination between our owned hardware (Leuven) and the EU VPS. Tailscale's servers handle key exchange and NAT traversal. Customer data does not transit them. |
No CDN. No edge cache. No analytics provider. No third-party LLM API. No marketing-tag manager.
Don't take our word for it. The whole point of the list is that it's checkable. Each claim above is something a careful buyer can confirm independently in under five minutes, without an NDA or a sales call. The same approach Attera's product takes with your financial figures is the one we take with our security posture: cite, don't promise.
Anything not on the list isn't quietly true. It's not true. If you need a control that isn't here, tell us and we'll be honest about whether and when it ships.
Run testssl.sh attera.io or visit ssllabs.com. Expect TLS 1.3, A or A+ grade, HSTS preload-eligible.
dig attera.io resolves to Hetzner allocations registered to RIPE. Verifiably European.
Full text is public. No NDA. No "request access" form.
We'll join a call from the workstation. The model file is on disk; we'll walk you through where your documents enter and leave the process.
