GDPR compliance

Database: Turso SQLite Cloud, Dublin (Ireland) region (EU). No automatic replication to servers outside the EEA.

Application server: Vercel Edge Network, with Dublin (Ireland) as the preferred region. European requests are processed in Europe.

File storage: No user files stored outside the EEA. Project logos are hashed and stored in the Dublin (Ireland) database.

In transit: TLS 1.3 on all connections (HTTPS enforced, HSTS enabled).

At rest: AES-256 encryption of the Turso database at the disk level.

Passwords: Hashed with bcrypt (cost factor 12). Never stored in plain text.

Tokens: Collection and access tokens are cryptographically random UUID v4 values.

ProofEU only collects the data necessary to run the service (data minimization):

• The account administrator's email and hashed password
• The end customer's name, role, company and testimonial (entered by them)
• Testimonial creation timestamps

No third-party tracking cookies. No Facebook/Google pixel. No external behavioral analytics tool.

ProofEU honors all rights granted by the GDPR (Art. 15 to 22):

• Access and portability: CSV export of all your testimonials from the dashboard or via the API (Pro plan).
• Rectification: Testimonials can be edited from the dashboard.
• Erasure: Delete a testimonial or an account from the dashboard. Complete data deletion within 30 days.
• Objection: Email privacy@proofeu.com for any request.

As a processor of your customer data (the testimonial authors), ProofEU provides a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR.

This agreement defines our obligations as a processor, the security measures implemented, and the procedures in case of a data breach.

ProofEU relies on the following sub-processors, all GDPR-compliant: