Trust & Security
Built so your data never has to leave the EU.
Self-hosted infrastructure. No third-party processors in the audit pipeline. GDPR-ready by default. This page documents exactly how we handle your data, who has access, and what we do when something goes wrong.
Security questions: [email protected]
How we handle your data
EU-hosted, self-hosted Supabase
All customer data lives in our self-hosted Supabase cluster on Hetzner infrastructure in Germany. We don't use Supabase.com or any other third-party SaaS for storage. You're never one shared cloud provider away from a data-residency conversation.
No third-party processors in the audit pipeline
Your audited URLs and findings stay in our infrastructure. We don't ship audit data to OpenAI, Anthropic, or any third party for processing the report — only the AI agent's vision calls go to Anthropic Claude (no audit findings or user data attached).
GDPR-ready by default
We process the minimum personal data required to run the service (email, billing). Right to access, export, and delete is implemented in-product. Data Processing Agreement available on request — talk to us if your procurement team needs it.
Encryption at rest and in transit
TLS 1.3 on every connection. Database encryption at rest (AES-256). Customer audit data and credentials encrypted with per-customer key derivation. Audit screenshots stored in encrypted object storage with signed-URL access.
Sub-processors
Complete list of vendors involved in delivering UXAudit.Now. We notify Enterprise customers in writing 30 days before adding a new sub-processor.
| Vendor | Purpose | Region | Required |
|---|---|---|---|
| Stripe | Payment processing | EU + US | Required |
| Anthropic Claude API | AI Audit Agent vision calls (no audit findings attached) | US (transient) | Required |
| Hetzner | Server hosting + storage | Germany (EU) | Required |
| Cloudflare | DNS + DDoS protection (no plaintext data) | Global | Required |
| Mailgun | Transactional email | EU | Required |
| Google Tag Manager / Microsoft Clarity | Marketing analytics on uxaudit.now (the landing site only) | US | Optional (opt-out available) |
Compliance & certifications
GDPR (EU)
✓ Implemented
Data residency, right to export, right to erasure, DPA on request
KVKK (Türkiye)
✓ Implemented
Equivalent to GDPR scope
SOC 2 Type II
On roadmap
Targeting 2026 H2 — talk to us if you need an interim attestation
HIPAA
Not applicable
We don't process protected health information
WCAG 2.1 AA
✓ Our own product audited at AA
We use our own a11y plugin on every release
Security FAQ
Can I self-host UXAudit.Now inside my own infrastructure?
Yes — we ship a self-contained Helm chart for Enterprise customers. The full stack (audit engine + Supabase + worker) runs inside your Kubernetes cluster, no outbound calls except the optional Anthropic Claude API for the AI Agent (you can supply your own key). Talk to us to scope.
Do you train any AI models on our audit data?
No. Customer audit URLs, findings, screenshots, and report content are never used to train any model — ours or a third party's. The Anthropic API calls we make use Claude's no-training enterprise endpoints.
Where are audit screenshots stored?
In our object storage in Germany, alongside the rest of the Supabase cluster. Screenshots are accessed via signed URLs scoped to the audit's owning user/workspace, with short expiry. They're deleted on account deletion within 30 days.
How do you handle a security incident?
Our incident-response runbook commits to: customer notification within 72 hours of confirmed incident, status-page disclosure for service impact, post-incident review published. Report a suspected issue to [email protected]; we triage same-day.
Can you sign our DPA / vendor security questionnaire?
Yes for both. We have a standard DPA we'll countersign, and we'll complete reasonable vendor security questionnaires for Enterprise customers. For Free / Starter / Pro, our published Trust page + Terms cover the scope.
Do you have a bug bounty / responsible disclosure program?
Responsible disclosure: report findings to [email protected] and we'll acknowledge within 48 hours. A formal bug bounty is on the roadmap. We don't pay bounties today but we'll publicly credit researchers who report verified findings (with their permission).
Need our DPA or a security questionnaire?
We respond to procurement requests within 1 business day. Send your questionnaire or a request for the DPA and we'll turn it around fast.
Stop guessing. Start auditing.
Run your first UX audit in 5 minutes. No credit card. 30 free credits to explore every platform — SaaS, E-Commerce, Corporate, Landing pages, and Conversational AI.
Run a free UX audit
