Security at ACF Compliance
ACF Compliance® handles ultra-sensitive data: enterprise AI inventories, high-risk classifications, DPIAs and legal Submission Files. We apply a rigorous security posture, calibrated to the expectations of CIOs, CISOs, DPOs and operational counsels.
Six pillars, one single standard
EU sovereign hosting
Platform hosted on Vercel (Frankfurt, Germany) and Supabase EU (Frankfurt) on AWS eu-central-1 infrastructure. Option for sovereign French hosting (OVHcloud / Scaleway) in the Enterprise catalogue.
End-to-end encryption
AES-256-GCM at rest for all sensitive data and integration tokens. TLS 1.3 in transit, HSTS preload, short-lived certificates. Application secrets sealed by a derived master key, never exposed client-side.
Ed25519 audit chain
Every major compliance decision (AI Act classification, AIPD generation, Submission File transmission) is timestamped and cryptographically signed (SHA-256 + Ed25519). Chain verifiable independently via public API.
Qualified eIDAS timestamping (optional)
For documents requiring stronger legal weight, qualified RFC 3161 timestamping (Enterprise option via a recognised European QTSP, eIDAS art. 42). Seal recognised before EU jurisdictions.
OAuth 2.0 + PKCE across 9 connectors
Native connectors for Google Workspace, Microsoft 365, Microsoft Teams, Slack, Notion, Jira, Asana, HubSpot, Salesforce. OAuth 2.0 with PKCE, minimum read-only scopes, tokens encrypted in DB, automatic rotation, never read or manipulated client-side.
RBAC + Supabase Row Level Security
Four application roles: owner, admin, compliance_lead, member. Strict per-organisation isolation via Postgres RLS, double-layer Next.js middleware + SQL policies. No cross-org leakage possible even in case of an application bug.
A clear direction, documented milestones
We only claim what we can demonstrate. The statuses below are updated at every audit milestone.
GDPR article 32 — Technical measures in place
Documented technical and organisational measures (encryption, pseudonymisation, integrity, confidentiality, resilience, regular testing). ROPA and DPIA up to date.
Independently verifiable audit trail
Reconstructible cryptographic chain exportable as a signed PDF. Format that takes into account CNIL guidance (GDPR article 5.2 — accountability) and AI Office (AI Act article 12 — logs).
EU AI Act — Self-assessment
ACF Compliance does not operate a high-risk AI system within the meaning of Annex III of the regulation. Article 50 transparency notice published for the conversational AI module (Advisor).
ISO 42001 / 27701 — Alignment in progress
Artificial Intelligence Management System (42001) and Privacy Information Management System (27701) frameworks integrated into the 2027 quality roadmap.
Partial list, full transparency
We document every sub-processor: purpose, location, cross-border transfer mechanism. Exhaustive list and detailed DPA available in the contractual annex.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Frontend hosting | Frankfurt (DE) — EU edge region | EU-US Data Privacy Framework |
| Supabase Inc. | Authentication, database, storage | AWS eu-central-1 (Frankfurt, DE) | SCC Commission UE 2021/914 |
| Resend Inc. | Transactional emails (magic link, notifications) | United States (DPF) | EU-US Data Privacy Framework |
| Anthropic PBC | Claude API (PII redacted upstream) | United States (DPF) | SCC Commission UE 2021/914 |
| Stripe Payments Europe Ltd. | Payments and recurring billing | Ireland (EU) | Intra-EU processing |
| Cloudflare Inc. | DNS, CDN, cookieless captcha | United States (DPF) — EU edge | EU-US Data Privacy Framework |
| Upstash Inc. | Serverless Redis rate limiting | AWS eu-west-1 (Ireland) | Intra-EU processing |
All non-EU transfers rely on standard contractual clauses adopted by the European Commission (decision 2021/914) or on the EU-US Data Privacy Framework. No client data is transferred outside the EU without a valid legal basis.
Vulnerability disclosure
If you discover a vulnerability, please email security@acf-compliance.com. We acknowledge receipt as soon as possible. See our security.txt (RFC 9116).
Policy: no legal action if you follow our rules (testing only on your own accounts, no DoS, no third-party exfiltration, coordinated disclosure).
Available documentation
- Data Processing Agreement (DPA)
- Privacy policy
- Legal notice
- Cookie policy: no marketing or tracking cookies. Cookieless Plausible analytics.
- Retention policy, threat model, incident response plan: available on request under NDA.
Need our security pack?
Ready-to-sign DPA, due diligence questionnaire (CAIQ), exhaustive sub-processor list, incident response plan, ROPA. Sent in due course after NDA.
Last updated : 21 May 2026