Just Smarter Eval
Sign in Run an eval →
// Compliance

Compliance, line by line.

The detail behind the trust page. What's signed, what's available, what's documented. This page is what your DPO and security review will read.

// 01 · Frameworks & controls

What's in place today.

If it isn't on this page it isn't a JSE commitment. We don't list certifications we don't hold or paths we haven't started.

GDPR Article 28 DPA
Standard data-processor addendum, prepared at contracting.
● Available on request
Standard Contractual Clauses
EU 2021/914, Module 2, signed at contracting.
● Available on request
Per-eval audit artifact
Every run logs prompt fingerprints, models, latencies, costs, scores. Exportable as CSV / JSON / Markdown — usable as evidence for AI Act Art. 15 accuracy / robustness documentation.
● In place
Schrems II — Transfer Impact Assessment
Per-hosting-tier TIA prepared on first enterprise request.
● Available on request
EU Strict tier — model inference
Mistral models only (Paris, EU-owned vendor and datacenter). No US-owned vendor reaches EU Strict.
● In place
Data residency
Application database, eval logs, and EU Strict / EU Cloud model routing all on EU/EEA infrastructure.
● EU/EEA
Encryption (at rest / in transit)
AES-256-GCM at rest with HKDF-derived per-key domain separation; TLS 1.3 in transit.
● In place
PII anonymization (Microsoft Presidio)
Per-request receipt with applied sensitivity level.
● In place
Right to erasure (GDPR Art. 17)
Self-service one-click delete; cascading database delete.
● In place
Age gate (GDPR Art. 8)
Self-declared birth year enforced at registration (≥16).
● In place
// 02 · How routing works

Three tiers, hard-coded at the gateway.

Every request entering JSE is tagged with an active tier before it touches a model. The tier is set per-workspace (and overridable per-run by an admin). The gateway evaluates the model registry against the tier policy:

  • EU Strict — only EU-owned vendors hosted in EU-owned datacenters are eligible. Today: the Mistral family only (Paris). Amazon Nova does not qualify because AWS is US-owned, even though the datacenter is in Stockholm.
  • EU Cloud — EU-resident datacenters, vendor ownership not constrained. Today: Mistral + Claude (Bedrock Frankfurt) + Amazon Nova (Bedrock Stockholm) + Gemini (Vertex EU).
  • Unrestricted — global routing. Required only when the user explicitly opts in.

A request to a model outside the active tier returns 400 model_not_compliant with the policy ID that rejected it. Nothing leaves the gateway, nothing is logged downstream.

What we record

For every run, JSE produces:

  • Request fingerprint (HMAC-SHA256 hash of prompt, model id, tier, user, timestamp)
  • Routing decision and resolved model
  • Provider and datacenter the inference touched
  • Output (encrypted at rest, AES-256-GCM) and latency
  • Eval result, judge model, judge rationale, and rubric ID
  • Token counts (input / output) and effective cost in EUR

Eval and audit logs are retained for the lifetime of the user account; users can request export or deletion at any time per GDPR Art. 15 / Art. 17. Default retention policy and longer compliance retention can be specified in the contractual DPA.

Data subject rights — automated

  • Art. 15 / Art. 20 — one-click JSON export of all user data (profile, balance, usage, conversations, eval runs, consent history).
  • Art. 16 — self-service profile edit.
  • Art. 17 — one-click account deletion; cascades across all linked data. Consent records retained 3 years post-deletion (PII scrubbed) as proof of legal basis per Swedish statute of limitations.
  • Art. 18 / Art. 21 — email support@justsmarter.ai; response SLA 30 days (extendable 60 per Art. 12(3)).
  • Art. 77 — right to lodge complaint with the Swedish IMY at imy.se/en.

Sub-processor changes

30-day notice before any new sub-processor is added. You can object; if we can't accommodate, contract terms allow termination without penalty.

Incidents

Material incident notification within 72 hours of detection, regardless of contractual tier. Status page and changelog reflect post-mortems publicly when customer data is involved.

Trust pack

Request the full Trust Pack (signed DPA template, SCCs, security white-paper) at support@justsmarter.ai. We answer within two business days.

Got a security review?

Send us your questionnaire. We answer in plain language, with evidence attached, within two business days.

support@justsmarter.ai Back to Trust