eu-only · gdpr from day 1
Frankfurt.
SCC-secured.
Mirror is built EU-first. Data lives primarily in Frankfurt (eu-central-1). Certain calls — AI inference, payments, auth — go to US-based sub-processors (Anthropic, Stripe, Clerk) under EU Standard Contractual Clauses. Your data is not used to train models — it's standard off and requires explicit consent.
Region
EU
Frankfurt only
Encryption
AES-256
at rest + TLS 1.3 transit
Training
Opt-in
standard off · never without consent
four principles
Security is not
an add-on.
01
Data lives in the EU
Frankfurt primary region. Backup managed by Neon — data stays within the EU. US-based sub-processors (Anthropic, Clerk, Stripe) operate under EU SCC contracts — see /legal/sub-processors.
02
Encrypted all the way
TLS 1.3 in transit. AES-256 at rest via Neon/AWS managed infrastructure. Field-level encryption for PII fields is on the Enterprise roadmap.
03
Training: opt-in
Your meetings and messages are not used to train LLMs — neither ours nor Anthropic's — unless you explicitly choose to. Default: opt-out. Inference logs are discarded after 24h at the vendor.
04
Audit trail on everything
Auth events logged via Clerk. Application logs retained via Vercel. Full immutable audit trail with SIEM export is on the Enterprise roadmap.
data architecture
Three layers.
Three controls.
Every request touching your data passes three controls: Auth (Clerk + SSO on Enterprise), tenant isolation (user-scoped data access), and application logging.
01 · Auth
Clerk · MFA available · SSO/SAML on Enterprise · session rotation after inactivity
02 · Isolation
User-scoped queries — every data access is isolated by authenticated user ID. Cross-tenant access is architecturally prevented. Per-team encryption keys are on the Enterprise roadmap.
03 · Audit
Auth events and critical actions logged. Full immutable audit log with retention guarantees is on the Enterprise roadmap.
compliance status
Where we stand.
No marketing spin.
GDPR
activeLive
DPA available · all rights respected
ISO 27001
In progress
Audit Q3 2026 · controls being implemented
SOC 2 Type II
Roadmap
Q4 2026 · audit firm selected
NIS2
activeCompliant
EU directive · sector: digital service
Status as of May 2026. ISO and SOC2 audit reports sent on request when completed.
questions · answers
What your lawyers
will ask about.
Where exactly is the data?
+
Application data: Frankfurt (eu-central-1). Backup managed by Neon — data stays within the EU. Certain features — AI models, auth, payments, email — use US-based sub-processors under EU Standard Contractual Clauses (SCC). Full transparency: /legal/sub-processors.
Who has internal access?
+
Mirror employees cannot see customer data without a log entry and an open ticket. Production access requires MFA and is audited.
What happens if you shut down?
+
30-day export window. You receive a database dump in open format (JSON + Parquet). No lock-in at the data layer.
Do you train on our messages/meetings?
+
Default: no. Your meetings and messages are not used for model training unless you explicitly choose to share them. It's opt-in — not opt-out. Anthropic discards inference logs after 24h and does not train on API calls from customers either. See SCC terms: /legal/sub-processors.
DPA?
+
We enter into a DPA with all customers who process personal data via Mirror. Documents are publicly available.
need a DPA?
Our standard DPA covers 95% of questions. Custom clauses possible on Enterprise.
security@mirrorsub.com →your rights · gdpr articles 15-17
Your data.
Your right.
You have the right to access, rectification and deletion of your personal data. Fill in the form — we respond within 30 days (GDPR requirement).
what happens?
Your data is deleted from all systems (production + backup) within 30 days of request. You will receive email confirmation.
GDPR Article 17 · Right to erasure
klar til næste deal
Built in Europe.
Hosted in Frankfurt.
7 dages gratis prøve med fuld Pro-adgang. Kreditkort kræves — trækkes intet de første 7 dage.
hosting
Frankfurt · EU-primær
data
EU-hostet · SCC-sikret
compliance
GDPR · NIS2 · SOC2 path