Just Smarter Eval
Sign in Run an eval →
// Trust center

Your DPO signs the map, not the disclaimer.

Every eval run produces a geographic audit artifact: where the data went, where it didn't, and why. This page is the index of the things you can ask us for, sign with us, and verify against.

// 01 · Posture

What we commit to. What we don't yet.

No vapor. If a control isn't in place we don't list it. The certifications row will grow over time and we'll publish dates as they're issued.

GDPR Article 28 — Data Processing Addendum
Standard data-processor addendum, prepared at contracting.
● Available on request
Standard Contractual Clauses (EU 2021/914)
Module 2 controller-to-processor, signed at contracting.
● Available on request
Per-eval audit artifact
Every run logs prompt fingerprint, models, latencies, costs, scores. Exportable as CSV / JSON / Markdown — usable as evidence for AI Act Art. 15 documentation.
● In place
Schrems II — Transfer Impact Assessment
Per-hosting-tier TIA prepared on first enterprise request.
● Available on request
EU Strict tier — model inference
Mistral models only (Paris, EU-owned vendor and datacenter). No US-owned vendor reaches EU Strict.
● In place
Data residency
Application database, eval logs, and EU Strict / EU Cloud model routing all on EU/EEA infrastructure.
● EU/EEA
Encryption — at rest / in transit
AES-256-GCM at rest with HKDF-derived per-key domain separation; TLS 1.3 in transit.
● In place
Right to erasure (GDPR Art. 17)
Self-service one-click delete; cascades through every linked surface.
● In place
// 02 · Hosting tiers

Three tiers, drawn at the gateway.

EU Strict
EU-OWNED VENDOR · EU-OWNED DC

Mistral family only — EU-owned vendor on EU-owned datacenters. Zero US exposure. Requests never leave EU territory.

Regions: France (Paris)
EU Cloud
EU DATACENTER · MIXED VENDOR

Claude / Nova via EU Bedrock + Gemini via EU Vertex + all Mistral. EU DC, vendor may be US-owned.

Regions: Germany · Sweden · Belgium
Unrestricted
GLOBAL · OPT-IN PER MODEL

OpenAI + Google + Moonshot + EU. Synthetic / public datasets only by default.

Regions: Global · UK · Ireland · all transit
// Gateway behavior
A request to a model outside the active tier returns 400 model_not_compliant before any data leaves the gateway. There is no "leak by default."
// 03 · Sub-processors

Who touches your data.

Every potential sub-processor that might touch your data, with the hosting tier that engages it. Updated when it changes; you're notified 30 days before any addition. EU Strict requests never engage any processor outside that row group.

VENDOR
ROLE · TIER
LOCATION
OWNERSHIP
Brain Orchestra (Xalerate AB)
LLM gateway · all tiers
europe-west4, NL
EU · sister company
Railway
Application hosting · PostgreSQL · all tiers
europe-west4, NL
US-owned, EU DC
Resend
Transactional email · all tiers
EU routing
US-owned
Stripe
Billing · all tiers
Ireland
US-owned, EU entity
Mistral AI
Model inference · EU Strict + Cloud + Unrestricted
Paris, FR
EU
Amazon Bedrock (Sweden)
Nova inference · EU Cloud + Unrestricted
Stockholm, SE
US-owned, EU DC
AWS Bedrock (EU)
Anthropic / Nova · EU Cloud + Unrestricted
Frankfurt, DE
US-owned, EU DC
Google Vertex AI (EU)
Gemini · EU Cloud + Unrestricted
Belgium
US-owned, EU DC
Anthropic (direct)
Claude · Unrestricted only
San Francisco, US
US
OpenAI
GPT · Unrestricted only
San Francisco, US
US
Google (Vertex AI Global)
Gemini · Unrestricted only
Mountain View, US + global
US
Moonshot AI
Kimi · Unrestricted, opt-in only
Beijing, CN
CN

Always engaged (platform) and EU-resident model rows on top. EU Cloud rows in the middle — same processors but US-owned operator. Unrestricted-only rows shaded amber and never engaged on Strict or Cloud routing.

Ask us anything.

Trust packs, signed DPAs, security questionnaires, vendor reviews. We answer within two business days.

Compliance details → support@justsmarter.ai