helpcodehelpcode.ai

Security & trust

Built EU-first, audited like enterprise.

EU-only hosting in Frankfurt, GDPR-compliant by default, sub-processors fully disclosed. Read what protects your data and how to reach us if something breaks.

Contact securityRequest DPA

Certifications & frameworks

Active

GDPR (DSGVO)

Full Article 28 sub-processor disclosure. DPA available on request.

Active

ISO/IEC 27001 aligned

Controls mapped to the 2022 revision; formal certification audit in progress.

Active

SOC 2 Type I-ready

Policies, change-management and access reviews in place; Type II window starting Q3 2026.

Active

BSI C5 (DE) — gap analysis

Independent gap assessment complete; remediation tracked monthly.

Active

Schrems II / EU Data Boundary

All customer data stays in EU regions. No US sub-processors for payload processing.

What we guarantee

01

EU data residency

Storage + compute in Frankfurt (DigitalOcean FRA1). Customer payloads never leave the EU.

02

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Per-org KMS keys on Business+.

03

Tenant isolation

Logical isolation per organization; queries scoped at the framework + DB level.

04

Backups daily

Encrypted backups every 24h, 30-day retention. Tested restore quarterly.

05

Audit logs

Every action by a member or API key is logged. Exportable on Business+.

06

SSO ready

SAML 2.0 / OIDC for SSO on Business+. SCIM provisioning on Enterprise.

07

No training on your data

Customer documents and chats are never used to train shared models.

08

Right to delete

One-click org deletion wipes all data within 72h, including backup tombstones.

Sub-processors

These are the vendors we use to deliver helpcode.ai. Every one is contracted under a GDPR-compliant DPA; non-EU vendors carry Standard Contractual Clauses.

VendorPurposeRegionLegal basis
DigitalOcean LLCHosting & infrastructureDE (Frankfurt — FRA1) GDPR-DPA + SCC
OpenAI Ireland Ltd.LLM processingEU (Dublin) GDPR-DPA + SCC
Anthropic Ireland Ltd.LLM processingEU (Dublin) GDPR-DPA + SCC
Mistral AILLM processingFR (Paris) GDPR-DPA
Stripe Payments Europe Ltd.Payments & billingEU (Dublin) GDPR-DPA + SCC
Mailgun Technologies Inc.Transactional emailEU (Frankfurt) GDPR-DPA + SCC

We update this list at least 30 days before adding a new processor. Subscribe to security@helpcode.ai to be notified.

Responsible disclosure

Found a security issue? We commit to a first response within 48 hours and to publishing a fix or mitigation under coordinated disclosure. No legal action against good-faith research.

security@helpcode.ai

Trust Center documents

Pen-test summary, SOC 2 readiness letter, architecture diagram and DPA template — available under NDA to evaluating customers and existing accounts.

Request access