These answers reflect Trusq today. ‘To be confirmed during onboarding’ means we’ll give your reviewers a precise, written answer during onboarding rather than an approximate one here. We don’t claim certifications, audits or uptime guarantees we don’t have.
Company & contract
In placeWho is the legal entity behind Trusq?
Trusq is a product of YRproject B.V., registered in the Netherlands (EU), KvK 97813974, at IJsseldijk 402, 2922 BN Krimpen aan den IJssel.
At onboardingIs there a Data Processing Agreement?
Yes. A GDPR Art. 28 DPA (your organisation as controller, Trusq as processor) is provided for signature during onboarding, before any production use. See the
trust page.
In placeWhat are the terms of service and governing law?
Our
terms apply, governed by Dutch law. Trusq provides information and indications, not legal advice.
Data protection & residency
EU onlyWhere is our data hosted and processed?
Entirely within the European Union. Application and database hosting is in Germany and France; every sub-processor is EU-based. No data is hosted or processed in the US.
EU onlyWhere is AI processing performed?
Content you submit for drafting or the assistant is processed by our EU AI provider (Mistral AI, France) — never by US AI services. See
sub-processors.
YesIs our content used to train AI models?
No. Content you submit is used to provide the service to you, grounded in cited sources; it is not used to train models.
In placeWho are your sub-processors?
Three, all EU-based: Hetzner (DE) for hosting, Mistral AI (FR) for the AI layer, Scaleway (FR) for transactional email. Full detail and purpose on the
sub-processors page.
In placeWhat personal data do you process, and for how long?
Account data, the compliance data you enter, early-access leads and server/audit logs. Retention is set out in our
privacy policy (e.g. server and audit logs for 90 days).
At onboardingHow is data returned or deleted at the end of the contract?
On termination we return or delete your data in line with the DPA and privacy policy. The exact process and timing are confirmed during onboarding.
Security controls
In placeIs data encrypted in transit?
Yes. All traffic is served over HTTPS/TLS, with HTTP Strict Transport Security (HSTS) and a strict Content-Security-Policy enforced at the edge.
To be confirmedIs data encrypted at rest?
Hosting is on EU infrastructure; the specifics of at-rest encryption are confirmed during onboarding rather than stated loosely here.
In placeHow are passwords stored?
Passwords are hashed with salted PBKDF2-HMAC-SHA256 (200,000 iterations, per-user salt). We never store plaintext passwords. Sessions use a signed, HttpOnly cookie.
In placeHow is customer data separated between tenants?
Trusq is multi-tenant; each organisation’s data is separated per tenant in the application and database. Implementation detail is available during onboarding.
In placeDo you enforce security headers?
Yes — HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and a Content-Security-Policy are set on the public surface.
Not yetHas a third-party penetration test or security audit been done?
Not yet. No external pentest or audit has been completed. We will publish scope and outcome on the
trust page once one has.
Access & authentication
RoadmapDo you support SSO / SAML?
Not yet — it is on the roadmap and prioritised for enterprise onboarding. Tell us if you need it and we’ll factor it into sequencing.
RoadmapDo you support multi-factor authentication (MFA)?
Not yet available on user accounts. It is on the roadmap alongside SSO. Interim access practices are discussed during onboarding.
To be confirmedHow is administrative access to systems controlled?
Access to production systems is limited to the operator (YRproject B.V.). Specific access controls and key handling are described during onboarding.
Resilience & continuity
In placeDo you take backups?
Yes. The database is backed up automatically each day, with an independent off-site copy kept on separate infrastructure. Restore procedures and exact retention are confirmed during onboarding.
No SLA yetWhat is your uptime commitment / SLA?
There is no contractual SLA today, and no automated uptime history. Current posture is on the
status page; a formal SLA is on the roadmap.
At onboardingDo you have a documented incident-response process?
For personal-data breaches we notify the controller without undue delay, as required under the GDPR and set out in the DPA. A formally documented internal IR runbook is in progress.
Certifications & standards
RoadmapAre you ISO 27001 certified?
No. We are aligning controls toward ISO 27001 but are not certified, and we will not claim a certificate we don’t hold.
RoadmapAre you ISO 42001 (AI management) certified?
No. We are evaluating ISO 42001 for our AI layer. Not certified.
Not yetDo you have SOC 2?
No SOC 2 report exists. Not on the near-term roadmap.
← Back to trust & data