Hosting jurisdiction
EU-controlled hosting in Germany (Frankfurt region). No third-country data transfer in normal operation.
SECURITY · DATA · COMPLIANCE
Security is the floor, not the feature.
Solvgent is built for agencies, e-commerce teams, and franchises whose IT review treats data handling as a precondition. This page is the artifact your security team needs.
At a glance
Encryption
TLS 1.3 in transit · AES-256 at rest · per-tenant key isolation.
Breach notification
GDPR Article 33 compliant: 72-hour disclosure window from confirmed incident.
Practices in detail
Encryption at rest and in transit
All customer data is encrypted at rest using AES-256. Data in transit uses TLS 1.3 with modern cipher suites; all marketing and product surfaces enforce HTTPS with HSTS preload. Database connections use mutual TLS.
Authentication
Email + password with required MFA on the Agency Pro and Enterprise tiers. Passkey support is on the roadmap. SSO via SAML 2.0 for Enterprise customers — contact for IDP integration scoping.
Tenant isolation
Brand-brain learning data is scoped to a single tenant. Postgres row-level security enforces tenant boundaries at the database layer. Cross-tenant data access is structurally impossible by design. Upstream AI providers (Anthropic, OpenAI) operate under enterprise terms that prohibit training foundation models on Solvgent customer prompts.
Data residency
The production database is hosted in the EU (Frankfurt). Object storage is EU-controlled. No customer data is transferred to non-EU jurisdictions in normal operation. The sub-processor list at /legal/sub-processors documents the full data path.
Backups and business continuity
Encrypted daily snapshots with 7-day point-in-time recovery on the production database. Off-region encrypted backups retained 30 days. Documented restore drill quarterly.
Vulnerability management
Dependency vulnerabilities are scanned on every commit via automated security tooling. Our patching commitments — critical CVE within 24 hours, high within 72, medium within 14 days — are documented for customers under NDA. A third-party penetration test is on the roadmap; the summary report will be available under NDA to customers on Agency Pro and above once it lands.
Incident response
Breach notification within 72 hours of confirmed material incident, in line with GDPR Article 33. Customers on Agency Pro and above receive direct notification with technical detail. A status page will go live at status.solvgent.com alongside the first pilot.
Audit posture
SOC 2 Type II audit and ISO 27001 evaluation are on our roadmap. We will publish dated commitments here as the audits are scoped and underway. The GDPR Article 28 Data Processing Agreement is published at /legal/dpa and accepted without redlines by the vast majority of customers. EU Standard Contractual Clauses are incorporated by reference.
EU AI Act compliance
Every AI-generated asset carries ai_generated metadata per Article 50. Caption-level disclosure language is supported automatically. Each connected platform's AI labeling policy is respected.
Reporting a vulnerability
If you've found a security issue, please email security@solvgent.com. We commit to acknowledging your report within 24 hours and providing a status update within five business days. We do not currently offer paid bounties — but we publicly credit researchers (with consent) and respond fast.