Hosting and data residency

We run the platform on Railway in the eu-west4 region (the Netherlands). Tenant databases, document files, and the application runtime are all located in this region.

Who sees your data, and where

• Primary application + database: Railway (eu-west4, the Netherlands).
• Encrypted backups: AWS S3 (eu-west-1, Ireland). Backups are age-encrypted before leaving the container; AWS never sees cleartext.
• Extraction providers: The specific LLM providers are listed at /legal/subprocessors. Several are US-based; tenants can restrict routing to EU-based providers (Mistral) if desired.

POPIA § 72 — for South African tenants

POPIA §72(1)(a) permits cross-border transfer when the recipient is bound to provide a substantially similar level of protection. Our EU hosting + our written agreements with infrastructure and LLM providers satisfy this. We do not mandate af-south-1 residency — POPIA does not require it for private-sector B2B document processing.

If a specific customer contract or regulatory engagement requires South African residency (e.g. certain public-sector or banking engagements), we can stand up an af-south-1 sovereignty tier as a configurable residency option. Contact us if this applies to you.

GDPR + UK + Swiss

For EU, UK, and Swiss data subjects, data stays in the EEA at rest (except for backups, which live in Ireland / AWS eu-west-1). LLM extraction calls sent to non-EU providers rely on the EU–US Data Privacy Framework (for certified providers) or Standard Contractual Clauses + a Transfer Impact Assessment (otherwise), as detailed in our DPA at /legal/dpa.

LGPD, Singapore PDPA, Australian Privacy Act, Canada PIPEDA

For data subjects in jurisdictions outside the GDPR cluster, our sub-processor safeguards, retention, and security commitments apply equally. Specific provisions relevant to each regime are covered in the DPA annex schedules.

Failover and disaster recovery

• Primary Postgres: single instance on Railway with nightly snapshots.
• Application-level backup: pg_dump every 4 hours, age-encrypted, shipped to AWS S3.
• Recovery point objective (RPO): 4 hours worst case.
• Recovery time objective (RTO): 2–4 hours for a full rebuild from the latest S3 dump onto a fresh Railway project or AWS RDS target, in the event of a Railway-side outage.

Change of hosting

Material changes to hosting region or infrastructure are notified at least 30 days in advance via email to tenant account holders.