Security
first.
Built in Europe for European businesses. Your data lives on EU servers, is encrypted in transit and at rest, and never trains anyone's foundation model.
How we protect you
Privacy and security, by default.
We treat customer data like our own. No silent data sharing, no opt-in dark patterns, no surprise sub-processors.
EU-hosted infrastructure
All servers, databases, and embeddings live in EU data centres. Data never crosses the Atlantic.
Encrypted in transit & at rest
TLS 1.2+ for every connection. AES-256 encryption for stored data. Industry-standard, no shortcuts.
We don't train on your data
Your conversations, knowledge, and embeddings are never used to train foundation models. Yours forever.
Role-based access
Owner, admin, and member roles per organisation. Tight permission boundaries on every API call.
Domain allowlist
Lock the widget to verified domains. Block scraping and unauthorised embeds at the edge.
Rate limiting & abuse protection
Per-bot and per-IP rate limits stop abuse before it inflates your bill.
Right to delete
Export or delete every conversation, lead, and source from the dashboard or by request, no questions asked.
DPA on every paid plan
Standard contractual clauses, sub-processor list, and data-flow diagram included. Sign electronically.
Transparent sub-processors
Public list of every vendor that touches your data. We notify you before any change.
Compliance
GDPR-ready out of the box.
From data subject access requests to right-to-be-forgotten, the tooling is built into the dashboard. SOC 2 Type II is on the roadmap as we scale.
- Lawful basis documented for every data flow
- EU-only sub-processors (no US transfers)
- Configurable retention windows for chats and leads
- One-click export of all visitor data
- Sign DPA from the billing page
Security FAQ
Questions, answered.
Need something specific for your security review? Email security@chatsuno.com.
- All chats, leads, knowledge sources, and embeddings are stored on EU servers (Frankfurt region). Backups stay in the EU. Data is never transferred to the US.
- No. Your data is never used to train foundation models — ours, OpenAI's, Anthropic's, or anyone else's. Conversations are only used to generate replies for your own visitors.
- Only you and the team members you invite. A small Chatsuno engineering team has audited production access for incident response. Every access is logged.
- Yes. A pre-signed DPA is available on every paid plan and downloadable from the dashboard. Custom DPAs for enterprise customers are negotiable.
- A short list — payment provider, email delivery, error monitoring, the LLM provider that generates replies. The full list with countries and roles is published in the DPA appendix.
- Delete individual conversations or leads from the dashboard, wipe a whole bot in one click, or close your account to remove everything within 30 days. We can also process bulk deletion requests by email.
- We follow SOC 2-aligned controls (encryption, access logging, role-based access, incident response) but are not yet formally audited. SOC 2 Type II is on the roadmap.
Built for trust
Privacy you can show your legal team.
EU-hosted, GDPR-ready, and a DPA you can sign before the trial ends.