Last reviewed 2026-05-28

Trust Center

Everything a procurement team, a CISO, or a privacy officer needs in one place — privacy policy summary, security architecture, GDPR posture, EU data residency, founder accountability, sub-processor inventory, and an honest accounting of the gaps we have not closed yet.

Security

AES-256 at rest, TLS 1.3, RLS, MFA, SSO. Full detail at /security/.

Privacy

GDPR-compliant. Binding text at /privacy/.

EU residency

London Postgres + Cloudflare EU edge. No US replicas.

DPA

Pre-signed. Download PDF →

1. Privacy policy — summary

The short version of what we collect, why, and what you can do about it. The binding text lives at /privacy/.

What we collect: account email, organisation name, billing identity (via Stripe), RFP content you create, hotel responses you receive, audit-log entries for your actions inside the app.
Why: to provide the service, to invoice you, to send you transactional email about your RFPs, to investigate security events.
What we do NOT do: sell your data, share it with advertising networks, train AI models on it (zero-retention contracts with OpenAI and Anthropic).
Your rights: access, correction, export, erasure, restriction, objection, portability — exercised by emailing [email protected] or from /app/account/. Completed within 30 days.
Cookies: essential only by default. Analytics + marketing cookies fire only after explicit consent via the banner.

2. Security at a glance

The full security page lives at /security/. Highlights:

AES-256 encryption at rest (Supabase-managed Postgres + Cloudflare R2 backups)
TLS 1.3 in transit, HSTS preload, A+ SSL Labs rating target
Postgres row-level security (RLS) tested in CI on every merge
MFA available today (TOTP); Google Workspace OAuth SSO live; SAML 2.0 + SCIM on the Q3/Q4 2026 roadmap
Audit logs retained 24 months minimum; admin access at /app/admin/audit/
Quarterly backup-restore drills; daily encrypted snapshots in Cloudflare R2 (EU)

3. GDPR compliance

Lawful basis: contract performance (Art. 6(1)(b)) for customer accounts; legitimate interest (Art. 6(1)(f)) for B2B hotel outreach with one-click unsubscribe
DPA: pre-signed Article 28 Data Processing Addendum at /legal/dpa.pdf — attach to your master agreement, no sales call required
SCCs: Standard Contractual Clauses + DPA in force with every US-incorporated sub-processor
DPO: not legally required at our size; the founder personally fulfils the role under Art. 37(4)
Breach notification: 72-hour customer notice per Art. 33; public post-mortem when impact >5% of base or >1 hour
Data subject requests: 30-day max turnaround; completed via /app/account/ or [email protected]

4. EU data residency

Primary Postgres in Supabase eu-west-2 (London, UK). CDN/edge layer is Cloudflare with EU edge routing enforced for European traffic. Object storage is Supabase Storage in the same EU region. Backups land in Cloudflare R2 EU bucket.

No customer record is mirrored to a US region. No analytics replica is built on a US-resident database. The only data leaving the EU is when proposal parsing dispatches a prompt to OpenAI / Anthropic under zero-retention contracts, or when Resend transmits a transactional email under SCC.

5. Founder accountability

Gustavo Borges

Founder & CEO · Personally accountable

I am the sole director of Easy RFP OÜ. The buck stops at [email protected] — not at a generic compliance@ alias that nobody owns.

For security incidents I escalate within 4 business hours. For DPA negotiations I sign personally. For GDPR data-subject requests I run the workflow myself until customer success is hired (see /careers/). For an unannounced procurement audit, name the time — I will be there.

I do not delegate trust to a chatbot, a ticketing alias, or a "compliance person who joined three weeks ago". If you talk to Easy RFP about security, GDPR, or your data, you talk to me.

6. Sub-processors (full inventory)

Updated whenever we add, replace, or remove a vendor. Subscribe to change notifications by emailing [email protected] with subject "Subscribe subprocessor updates" — we send a heads-up at least 30 days before any change takes effect.

Vendor	Purpose	Region	Contractual basis
Supabase	Database, auth, storage, edge functions	EU (London, UK)	DPA + EU hosting
Cloudflare	CDN, DDoS, Pages, Workers, R2 backups	EU edge / EU R2	DPA + SCC
Stripe	Payment processing, billing, customer portal	US/EU dual	DPA + SCC + PCI-DSS L1
Resend	Transactional email (magic-link, RFP outreach)	US (EU routing)	DPA + SCC
Sentry	Error monitoring (no PII captured)	EU	DPA + EU hosting
PostHog	Product analytics (funnel events, no PII)	EU (eu.i.posthog.com)	DPA + EU hosting
Google Tag Manager + GA4	Marketing analytics (consent-gated)	EU regional collection · IP anonymisation enabled	DPA + SCC + consent-mode v2
OpenAI	Proposal parser verifier (GPT-4o)	US	DPA + SCC + zero retention
Anthropic	Proposal parser primary (Claude Sonnet)	US	DPA + SCC + zero retention

GA4 configuration: IP anonymisation is forced via Google Tag Manager server config; we use EU regional collection endpoints; analytics cookies do not fire without explicit consent under IAB TCF v2.

7. Honest gaps (what we do NOT have yet)

No third-party penetration test report yet. First audit engagement is planned Q3 2026 with an EU-based firm. The report will be shareable under NDA. We will not retroactively pretend a pentest happened. No SOC 2 Type II certificate. Type I audit starts Q4 2026; Type II report expected Q3 2027. No ISO 27001 certificate. Planned H2 2027 on top of the SOC 2 foundation. No 24×7 manned SOC. Pager-duty on critical alerts; founder + engineering contractor on-call.

In the interim we offer: architecture diagrams on request, RLS policy review, SIG-Lite / CAIQ v4 responses within 5 business days, customer references in regulated MICE-buyer environments. Email [email protected].

8. Audit-trail philosophy

When a hotel responds, when a planner declares a winner, when a contract amount is amended — every one of those events is captured to a tamper-evident audit log retained 24 months minimum. The full schema and retention policy lives at /security/ §10. The reason we treat this as a first-class feature: corporate procurement teams need to defend their sourcing decisions years later when a deal is questioned. Easy RFP exists, in part, so that defence is automatic.

9. Where to go next

Technical security detail → /security/
Full privacy policy → /privacy/ (the binding legal text)
Cookie policy → /cookies/
Pre-signed DPA → /legal/dpa.pdf
Terms of service → /terms/
System status & live health check → /status/ · /api/health
Team page → /about/team/
Founder bio → /about/gustavo-borges/

10. Reporting a concern

Security vulnerability: email [email protected] · subject "SECURITY" · ack within 24 business hours
Privacy / GDPR: subject "GDPR" · response within 5 business days, completion within 30
Vendor risk assessment: subject "VENDOR ASSESSMENT" · response within 5 business days
Founder direct: [email protected] for anything you do not want to route through the generic alias

For privacy policy see /privacy/ · For security see /security/ · For DPA see /legal/dpa.pdf · For terms see /terms/