Trust Center

Your customers' data. In Europe. Under your terms.

Mignuti Chatbot is built for B2B from day one — every architectural decision starts with "would a DSGVO-officer sign this off?". Below: how the system works, where the bytes live, who else touches them, and the legal scaffolding around it.

Architecture Subprocessors TOMs Legal

✓ Compliant

DSGVO / GDPR

Art. 28 DPA available

✓ Compliant

EU-AI-Act

Article 50 disclosure

◷ Roadmap

ISO 27001

Audit planned

◷ Roadmap

SOC 2 Type II

Audit 2027

Where every byte goes

From the moment a visitor types a question until the answer reaches them — drawn to scale.

Every component inside the dashed frame runs in EU data centres. LLM inference is performed by Anthropic PBC (USA) — safeguarded by the EU-US DPF + EU SCCs 2021/914, with personal data automatically redacted beforehand. Cross-region replication is opt-in, not default.

Subprocessors

Subscribe to changes via your Compliance settings — you'll get 30 days notice before any change takes effect.

Processor	Purpose	Region	Transfer	DPA
Supabase (EU)	Database, Auth, Edge Functions, Storage	Frankfurt (eu-central-1)	Intra-EU	View DPA
Anthropic PBC	LLM inference (Claude Haiku 4.5)	USA	EU-US DPF + EU-SCCs 2021/914	View DPA
Microsoft Azure OpenAI	Embeddings (text-embedding-3-small) + LLM fallback (GPT-4o-mini)	Sweden Central — EU data zone	Intra-EU	View DPA
Stripe	Payment processing	Ireland (Stripe Payments Europe Ltd.)	Intra-EU	View DPA
Cloudflare	CDN + DDoS protection (widget delivery)	Global anycast, EU PoPs	SCCs + EU IDTA	View DPA

Technical & Organisational Measures (TOMs)

The eight pillars we hold ourselves to. Each is verified by an automated test or external audit.

Multi-Tenant Isolation

Row-Level Security (RLS) on every customer-data table. Default DENY — explicit grants only. Tenant-isolation is verified by automated test-suite running on every PR.

EU Data Residency

Database, file storage, the vector database and embedding inference all run in the EU (Frankfurt + Azure EU data zone, Sweden Central). Only the primary LLM inference runs at Anthropic PBC (USA) — safeguarded by the EU-US Data Privacy Framework + EU SCCs 2021/914; personal data is automatically redacted before transfer (PII redaction).

Encryption

TLS 1.3 in transit, AES-256 at rest, bcrypt for widget secrets. JWT tokens are HS256-signed and bound to the originating IP-hash.

Prompt-Injection Defence

User-content is enveloped in <source> markers, control-characters are stripped, and 12 known injection patterns are blocked at the Edge layer before they reach the LLM.

PII Redaction

Optional Microsoft Presidio integration redacts emails, phone numbers, IBAN and credit-card numbers from logs and embeddings before they leave the request lifecycle.

Audit Logging

Every privileged action writes an append-only entry. Retention 2 years operational, 7 years for compliance-relevant events. Read-only via service-role.

EU-AI-Act Compliance

Article 50 disclosure shown on every chat session — unblockable, contractually fixed. Bot identifies as AI in the welcome line and in the persistent footer banner.

GDPR Self-Service

End-users can delete their conversation history without an account via a per-session token. Org owners get one-click data exports and a 30-day cooling-off period before account deletion.

Legal documents

All current versions. Older versions on request.

Data Processing Addendum (DPA)

Art. 28 GDPR · current version

→

EN · DE

→

B2B · liability cap 12mo fees

→

EU-AI-Act Disclosure

Article 50 obligations

→

Subprocessor list (canonical)

Updated within 24h of changes

→

VPAT 2.5 / Accessibility Statement

WCAG 2.2 AA · EAA 2025

→

Security & compliance FAQ

The ten questions every DPO and CISO asks before signing.

Where exactly do you store customer data?

Postgres, file storage and the vector database: AWS Frankfurt (eu-central-1) via Supabase. Embedding inference (text-embedding-3-small) runs on Azure OpenAI in the EU data zone (Sweden Central). Only the primary LLM (Claude Haiku 4.5) runs at Anthropic PBC (USA) — safeguarded by the EU-US Data Privacy Framework + EU SCCs 2021/914, with personal data automatically redacted before transfer. Fallback LLM: Azure Sweden Central. Widget delivery: Cloudflare anycast with EU PoPs. All stored platform data remains in the EU.

Does the LLM provider train on our data?

No. Anthropic and Azure OpenAI both have explicit no-training-on-API-data terms. Our DPA cascades these obligations. Provider-side retention of inputs and outputs follows the Anthropic Commercial Terms; personal data is redacted before any LLM call.

How is my data isolated from other tenants?

Postgres Row-Level-Security on every customer table, Default DENY. Tenant isolation is verified by an automated test-suite running on every PR (RLS-tenant-isolation.test.ts). The pgvector retrieval RPC is session-scoped — a stolen JWT cannot query embeddings outside its bound project_id.

How do you handle PII inside chat messages?

Optional Microsoft Presidio integration redacts emails, phone numbers, IBAN, credit-card numbers, German tax-IDs and 14 other regex-matched PII categories from logs and embeddings BEFORE they reach the LLM. End-users are warned in the permanent Article 50 disclosure banner (contractually fixed in our TOS) not to share sensitive data.

What happens if you have a security incident?

Notification within 72 hours per Art. 33 GDPR to your DPO email on file. Service-status updates on /status (5-minute sampling). Post-mortem published within 14 days for any P1 incident affecting customer data.

Can the bot leak our internal data via prompt injection?

User inputs are wrapped in <source> sentinel tags and 12 known injection patterns are blocked at the Edge layer. Output is validated against a canary token — if the LLM echoes our system prompt, the response is blocked client-side. Prompt-injection-test.ts runs on every PR with 8 attack vectors.

Are you SOC 2 / ISO 27001 certified?

On the roadmap: ISO 27001 audit Q3 2026, SOC 2 Type II audit 2027. Today we operate under TOMs aligned to those frameworks but without the external-auditor stamp. For early-stage customers we accept this; for regulated industries, please reach out before signing.

Can our DPO get a custom DPA with our forms?

Yes, Pro and Agency plans. Our standard DPA is at /en/legal/dpa and matches Art. 28 GDPR + EU SCCs. For your custom form, mail it to dpo@mignuti.com — we sign within one business day on weekdays.

What about end-user data subject rights (Art. 15-22)?

Self-service in the dashboard: 1-click data-export (signed-URL, 60s validity) and account-deletion with 30-day grace period. End-users can delete their conversation history without logging in via a per-session delete-token shown in the widget footer — no login required.

What happens to our data if Mignuti Chatbot shuts down?

Contractually: 90-day notice + final data export. Practically: every customer can self-export PDFs + conversations + Q&A pairs as JSON/CSV at any time, no support call needed. Source code escrow available on Enterprise plans.

Need a custom DPA or a security questionnaire?

Reply within 1 business day on weekdays.

dpo@mignuti.com