Trust Center
Transparency is not optional. Here is exactly how Spock protects your data, where it lives, who touches it, and what controls are in place.
Core Commitments
What we promise
Security First
Enterprise-grade encryption, access controls, and secure development practices protect your data at every layer.
Your Data, Your Control
We never train AI models on your data. Your files, prompts, and outputs belong to you. Period.
Regulatory Compliance
Fully compliant with GDPR (EU) and POPIA (South Africa). Standard Contractual Clauses govern all international transfers.
EU-Hosted Infrastructure
Core application servers, databases, and user data are hosted in Germany on Hetzner and DigitalOcean infrastructure.
Architecture
Where your data lives
Storage: EU (Germany)
Application servers, databases, and core user data are hosted in Germany on Hetzner and DigitalOcean infrastructure. Your data at rest stays in the EU.
AI Inference: United States
Prompts and files that require AI processing are sent to US-based providers (OpenAI, Anthropic/Claude, Google/Gemini, Groq) via API. All providers have committed to zero training on API data. Retention ranges from 0 days (Groq ZDR) to 30 days (OpenAI) for safety monitoring only.
Transfer Safeguards
All EU-to-US transfers are protected by Standard Contractual Clauses (SCCs 2021/914), supplementary measures per EDPB Recommendations 01/2020, and binding agreements under POPIA s72(1)(b).
Security
Technical and organisational measures
Encryption at rest
AES-256 encryption for all stored data
Encryption in transit
TLS 1.3 for all data in transit
Access controls
Least-privilege access with logging and monitoring
Network segregation
Hardened production environment with isolated networks
Secure development
Security-first development practices and code review
Vendor due diligence
DPAs and SCCs with all sub-processors
Data minimisation
Only necessary data is sent to AI providers for inference
Rolling backups
Regular backups with tested restore procedures
Privacy
How we handle your data
No-Training Warranty
Spock unconditionally warrants that no data processed through our platform will be used, directly or indirectly, by Spock or any sub-processor to train, fine-tune, or otherwise develop any AI model. This is a core, non-derogable obligation. Breach of this warranty entitles you to a full refund of the last 12 months of fees and immediate termination rights.
Data Retention
Account data: duration of service + 12 months. AI inference data at sub-processors: 0-30 days depending on provider (see sub-processor table). Security logs: 90-180 days. Billing records: as required by tax law.
Data Deletion
On termination, we return or delete all personal data at your choice. Sub-processor data is purged per their retention schedules (0-30 days for API inference).
Cookies
We use only strictly necessary cookies. No analytics, advertising, or third-party tracking cookies.
Your Rights
Access, rectification, erasure, restriction, portability, and objection rights under both GDPR and POPIA. Contact us to exercise any right.
Sub-processors
Who processes your data
We give at least 15 days advance notice before adding or replacing any sub-processor. You have the right to object on data-protection grounds.
| Provider | Location | Purpose | Trains on Data | API Retention | Safeguards |
|---|---|---|---|---|---|
| Anthropic / Claude | United States | AI / LLM inference | No | 7 days (default API) | SCCs, DPA, ISO 27001, ISO 42001, SOC 2 Type II |
| OpenAI | United States / Ireland | AI / LLM inference | No | 30 days (API) | SCCs, DPA, ISO 27001/27017/27018/27701, SOC 2 Type II, EU-US DPF |
| Google / Gemini | Ireland (EU) / United States | AI / LLM inference | No | Stateless (many operations) | EU entity, SCCs, ISO 27001/27017/27018/27701/42001, SOC 1/2/3, FedRAMP |
| Groq | United States | High-speed LLM inference | No | 0 days (ZDR default) | SCCs, DPA, GCP infrastructure |
| Hetzner | Germany (EU) | Hosting and compute | N/A | Duration of service | EU-hosted, ISO 27001 |
| DigitalOcean | Germany (EU) | Hosting and compute | N/A | Duration of service | EU-hosted, SOC 2 Type II |
| Stripe | United States / EU | Payment processing | N/A | As required by law | SCCs, PCI DSS |
| Resend | United States | Transactional email | N/A | 30 days | SCCs, DPA |
| Crisp | EU | In-app support | N/A | Duration of service | EU-hosted, DPA |
Compliance
Certifications and compliance
GDPR Compliant
Full compliance with the EU General Data Protection Regulation. EU-hosted storage, SCCs for international transfers, and comprehensive DPA.
POPIA Compliant
Full compliance with the South African Protection of Personal Information Act, including juristic person protections and s72 transfer safeguards.
Transfer Impact Assessments
Comprehensive TIAs conducted for all US sub-processors following EDPB Recommendations 01/2020 and CNIL Practical Guide. Updated annually. View full TIA summary
SOC 2 Type II
SOC 2 Type II certification is in progress and expected by H2 2026. This page will be updated when the certification is complete.
Incident Response
How we handle security incidents
If we become aware of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours, providing the information available at that time. We will cooperate fully to help you meet your notification duties under GDPR and POPIA.
Our incident response procedure includes identification, containment, eradication, recovery, and post-incident review. All incidents are logged and reviewed to prevent recurrence.
Documents
Full legal documentation
Privacy Policy
How we collect, use, and protect your personal information.
Terms and Conditions
Service agreement and usage policies for Spock.
Data Processing Agreement
GDPR and POPIA compliant data processing terms.
Automate Terms
Terms and conditions for Spock Automate product.
Transfer Impact Assessment
Full TIA summary for all US-based AI sub-processors with risk assessments.
Security inquiries
Questions about our security practices, compliance, or to request a full TIA?