Security

EUSecureAI (CVR 33362773) · Last updated: April 2026

This page explains how EUSecureAI is built and operated from a security and data protection perspective. We aim to be transparent about our infrastructure, practices, and the controls in place to protect your data.

Infrastructure & Hosting

EUSecureAI is hosted exclusively on servers in the European Union. Our application server runs on an OVH VPS located in Frankfurt, Germany. Our database is provided by OVH and is hosted within the EU/EEA. No customer data is transferred outside the European Economic Area.

  • Application server: OVH VPS, Frankfurt, Germany (EU)
  • Database: OVH managed PostgreSQL, EU region
  • Transactional email: SendGrid, sent over HTTPS — no message content stored
  • AI inference: Nebius AI, EU-hosted infrastructure

Data Protection & GDPR

EUSecureAI is a Danish company designed to comply with the General Data Protection Regulation (GDPR). We act as a data processor for the organizations that use our platform.

  • Your data stays within the EU/EEA at all times
  • We do not sell or share your data with third parties for commercial purposes
  • We process only the data necessary to provide the service
  • Data deletion requests can be submitted to privacy@eusecureai.com

Encryption & Transport Security

All traffic between your browser and our servers is encrypted using TLS (HTTPS). We do not serve any content over unencrypted HTTP. Database connections are encrypted in transit. Passwords are never stored — authentication is handled exclusively via email magic links (no password to steal or leak). TOTP secrets used for two-factor authentication are encrypted at rest using AES-256-GCM.

Two-Factor Authentication (2FA)

EUSecureAI supports organisation-enforced two-factor authentication (2FA) using TOTP (Time-based One-Time Password, RFC 6238), compatible with standard authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy. Organisation owners can require 2FA for all members, with a 7-day grace period to allow smooth onboarding.

Users who sign in via Microsoft OAuth (Azure AD) are exempt from the TOTP requirement, as Microsoft's own authentication already enforces MFA at the identity provider level. TOTP secrets are encrypted at rest using AES-256-GCM and are only persisted after the user successfully verifies a valid code. Backup codes are single-use and stored as bcrypt hashes.

Access Control (RBAC)

Access within EUSecureAI is governed by a role-based access control (RBAC) system with three tiers:

  • Member — can use the AI support chat and personal settings
  • Admin — can manage team members, knowledge base, and widget settings
  • Owner — full control including workspace and billing settings

Each route is protected server-side — role checks are enforced at the API and server component level, not only in the UI. Users cannot access functionality beyond their assigned role.

Audit Logging

EUSecureAI maintains an audit log of significant administrative actions within each workspace — including member invitations, role changes, and member removals. The audit log is accessible to Admins and Owners and is append-only. This allows organizations to track who did what and when.

AI Transparency

The AI assistant in EUSecureAI generates responses exclusively based on documents uploaded to your organization's knowledge base. It does not browse the internet, use data from other organizations, or draw on information outside your uploaded content. Every response cites the source document it is based on.

The underlying language model is provided by Nebius AI and runs on EU-hosted infrastructure. Your documents and conversations are not used to train any AI model — by us or by our AI provider.

Backup & Reliability

Our database is managed by OVH and benefits from automated backups as part of their managed PostgreSQL offering. The application is deployed using PM2 process management with automatic restarts on failure. We operate behind an nginx reverse proxy with TLS termination.

We do not publish an SLA for the current plan tier, but we take uptime seriously and monitor the service actively.

Vulnerability Disclosure

If you discover a security vulnerability in EUSecureAI, please report it responsibly by emailing security@eusecureai.com. We will acknowledge your report within 72 hours and work to resolve confirmed issues promptly.

Questions

For any security or data protection questions, contact us at security@eusecureai.com or see our Privacy Policy.