Compliance Hub
Last updated: March 2026 — For CIOs, DPOs, and compliance teams
This page consolidates everything your security and compliance team needs to evaluate AI DeskFlow. For questions not covered here, contact security@ai-deskflow.com. We respond within 24 hours and can fill out your vendor security questionnaire.
1. Company & product overview
| Legal entity | ETERNA-APP INC. |
| Address | 131 Continental Dr Suite 305, Newark, DE 19713, USA |
| Product | AI DeskFlow — AI-powered document analysis platform |
| Domain | ai-deskflow.com |
| DPO contact | dpo@ai-deskflow.com |
| Security contact | security@ai-deskflow.com |
2. Data flow diagrams by tier
AI DeskFlow offers three data processing tiers. Each tier determines where your data is stored and processed. You choose the tier that matches your regulatory requirements.
Tier 1: Cloud (Free & Solo Pro plans)
User (Browser)
│ HTTPS/TLS 1.3
v
Vercel (Global CDN) ──── Next.js App
│
├─► Supabase (EU-West) ─── PostgreSQL + pgvector + Storage
│
└─► Cloud LLM Provider (US)
OpenAI / Anthropic / Groq
⚠ Messages + doc excerpts transit through provider servers
Zero data retention (per API terms)Tier 2: BYOK (Solo Pro with user keys)
User (Browser)
│ HTTPS/TLS 1.3
v
Vercel (Global CDN) ──── Next.js App
│
├─► Supabase (EU-West) ─── PostgreSQL + pgvector + Storage
│
└─► Cloud LLM (User's Account)
User provides their own API keys (encrypted AES-256-GCM)
⚠ Same transit as Tier 1, but under user's account/termsTier 3: Sovereign (Cabinet & Enterprise plans)
User (Browser / WhatsApp / Telegram)
│ HTTPS/TLS 1.3
v
Vercel (Global CDN) ──── Next.js App (metadata only)
│
├─► Supabase (EU-West) ─── Account metadata only
│
└─► User's Private Server (EU / on-premise)
├── Ollama (LLM) ─── local inference
├── ChromaDB ──────── local vector search
└── Docker isolation per workspace
✅ Documents + queries never leave the server3. Sub-processors & locations
| Provider | Purpose | Location | DPA signed | Tier 3 usage |
|---|---|---|---|---|
| Supabase Inc. | Database, auth, file storage | EU-West (Ireland) | Yes | Metadata only |
| Vercel Inc. | Web application hosting | Global (US primary) | Yes | Web app only |
| Stripe Inc. | Payment processing | US (PCI DSS L1) | Yes | Used |
| Resend Inc. | Transactional emails | US | Yes | Used |
| OpenAI Inc. | LLM inference + embeddings | US | Available | Not used |
| Anthropic Inc. | LLM inference | US | Available | Not used |
| Groq Inc. | LLM inference | US | Available | Not used |
| Hetzner Online GmbH | Private server hosting | EU (DE/FI) | Yes | Optional (managed) |
We notify customers 30 days before adding or replacing a sub-processor. Full sub-processor change log available on request.
4. GDPR compliance
| Requirement | Status | Implementation |
|---|---|---|
| Lawful basis (Art. 6) | ✅ | Contract performance (B2B SaaS subscription) |
| Data minimization (Art. 5) | ✅ | AI logs store input hashes, not plaintext. Explicit column selects only. |
| Encryption (Art. 32) | ✅ | TLS 1.3 in transit, AES-256-GCM at rest for credentials |
| Access control (Art. 32) | ✅ | PostgreSQL RLS on all 11 tables, role-based workspace access |
| Right of access (Art. 15) | ✅ | Settings > Account > Export Data (JSON) |
| Right to erasure (Art. 17) | ✅ | Settings > Danger Zone > Delete Account (full cascade within 30 days) |
| Data portability (Art. 20) | ✅ | JSON export of all account data |
| Breach notification (Art. 33) | ✅ | 72-hour notification commitment (see DPA) |
| DPA (Art. 28) | ✅ | Available at /dpa |
| DPO appointed | ✅ | dpo@ai-deskflow.com |
| International transfers | ✅ | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Cookie consent | ✅ | Strictly necessary cookies only (auth session). No tracking. Cookie banner displayed. |
5. EU AI Act readiness
AI DeskFlow is designed with the EU AI Act in mind. Current status:
- Transparency: every AI interaction is logged with timestamps, model identifiers, and routing decisions in the
ai_decisionstable. - Audit trail: exportable as CSV from Dashboard > Security > Export (90-day retention).
- Input hashing: prompts are stored as SHA-256 hashes, not plaintext — data minimization by design.
- Human oversight: AI generates suggestions only. All decisions remain with the human professional.
- Risk classification: AI DeskFlow is classified as a limited-risk AI system (information/decision support tool, not autonomous decision-making).
- Target compliance date: full alignment before August 2026 deadline.
6. Certifications & audits
| Standard | Status | Timeline |
|---|---|---|
| GDPR | Compliant | Active |
| EU AI Act | In progress | Target: August 2026 |
| SOC 2 Type I | Planned | Q4 2026 |
| ISO 27001 | Planned | 2027 |
| Penetration test | Scheduled | Q3 2026 |
| HDS (Hébergement Données de Santé) | Evaluating | 2027 (via HDS-certified hosting partner) |
Advanced compliance & certifications
AI DeskFlow is not yet HDS-certified (required for hosting health data in France) or SOC 2 audited. If your organization requires these certifications, we offer two paths:
- Self-hosted deployment: install AI DeskFlow on your own HDS-certified infrastructure using our Private Server option (Cabinet or Enterprise plan). Your data never leaves your environment.
- Certification roadmap: we are actively evaluating HDS certification through a partnership with an HDS-certified hosting provider (target: 2027). SOC 2 Type I is planned for Q4 2026.
For specific compliance requirements, contact security@ai-deskflow.com to discuss a tailored setup.
We can provide a detailed security questionnaire response (CAIQ, SIG, or custom format) upon request. Contact security@ai-deskflow.com.
7. Technical security controls
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.3, HSTS with preload (max-age=63072000) |
| Encryption at rest | AES-256-GCM for API keys (unique IV per operation). Supabase encryption at rest. |
| Authentication | Supabase Auth (JWT), rate-limited login (5/15min/IP) |
| Authorization | PostgreSQL Row-Level Security on all 11 tables. SECURITY DEFINER for cross-table queries. |
| Rate limiting | Upstash Redis per-user/IP. 30 chat/min, 20 upload/min, 5 register/15min. |
| Input validation | All 50+ API routes. UUID regex on ID params. 10K char message limit. |
| SSRF protection | Block RFC1918, loopback, link-local, IPv6 ULA, metadata IPs (169.254.169.254) |
| XSS/Clickjacking | CSP, X-Frame-Options: DENY, X-Content-Type-Options: nosniff |
| Anti-enumeration | Auth endpoints always return success (no email leak) |
| PII anonymization | Optional regex masking (email, phone, IBAN, SSN FR) before cloud LLM |
| Privilege escalation | BEFORE UPDATE trigger on profiles protects plan/stripe fields |
| Container isolation | Sovereign plan: 1 client = 1 Docker container + network + volume |
Full technical details: Security & Architecture.
8. Data retention & deletion
| Data type | Retention | Deletion trigger |
|---|---|---|
| Documents & embeddings | Duration of subscription | Account deletion or user request (30 days) |
| Conversations & messages | Duration of subscription | Account deletion |
| AI decision logs | 90 days | Automatic expiry (EU AI Act compliance) |
| Usage logs | 24 months | Rolling window |
| Billing records | 10 years | Legal accounting obligation |
| Backups | 30 days after deletion | Cascading from account deletion |
| Private server data | Under customer control | Customer manages their own server |
9. Data subject rights (GDPR Chapter III)
| Right | GDPR Article | How to exercise |
|---|---|---|
| Access | Art. 15 | Settings > Account > Export Data |
| Rectification | Art. 16 | Settings > Account (edit profile) |
| Erasure | Art. 17 | Settings > Danger Zone > Delete Account |
| Portability | Art. 20 | JSON export via Settings > Account > Export Data |
| Restriction | Art. 18 | Contact dpo@ai-deskflow.com |
| Objection | Art. 21 | Contact dpo@ai-deskflow.com |
10. Available documents
The following compliance documents are available:
| Document | Access |
|---|---|
| Privacy Policy | /privacy |
| Terms of Service | /terms |
| Data Processing Agreement (DPA) | /dpa |
| Security & Architecture | /security |
| Legal Notice | /legal |
| Vendor security questionnaire (CAIQ/SIG) | On request — security@ai-deskflow.com |
| Signed DPA (custom) | On request — legal@ai-deskflow.com |
| SOC 2 Type I report | Available Q4 2026 |
Need something else?
We understand that every organization has specific compliance requirements. Whether you need a custom security questionnaire filled out, a specific DPA clause, or a meeting with our security team, contact us at security@ai-deskflow.com. We respond within 24 hours.
ETERNA-APP INC. — 131 Continental Dr Suite 305, Newark, DE 19713, USA