One URL for a vendor security review: subprocessors, data residency, retention proof, DPA, and attestation roadmap. If your procurement team needs a CAIQ / SIG questionnaire completed, email security@ephemera.sh — most of the answers are below.
Third parties that may process customer or account data. Region is where the relevant processing happens for EU tenants. Effective 2026-06-04. We give at least 30 days' notice before adding or replacing a subprocessor that processes your data on our behalf. Vendors we engage for our own billing are disclosed in our privacy notice, not here.
| Subprocessor | Purpose | Region | Data |
|---|---|---|---|
| Scaleway | Compute, object storage, control-plane DB, transactional email (EU) | EU (FR) | Cluster dumps, findings, PDFs, account data, email address, notification content |
| DigitalOcean | Compute + Spaces (US region) | US | US-tenant dumps, findings, PDFs |
| BunnyCDN (bunny.net) | Static asset CDN / edge | EU-config | Marketing site assets only |
| Mistral AI | LLM for EU tenants (direct, in-region) | EU (FR) | Redacted findings text only |
| Anthropic | LLM for US tenants (direct, in-region) | US | Redacted findings text only (US tenants) |
| Sentry | Error monitoring | EU (de) | Stack traces, request metadata (no cluster data) |
| iubenda | Consent management / cookie banner | EU | Consent records |
| Plausible | Privacy-friendly analytics | EU | Aggregate page views (no cookies, no PII) |
| Tawk.to | Live chat widget (marketing site) | US | Chat messages you send us |
For stored data, EU-tenant cluster dumps, findings, PDFs and the control-plane DB stay in EU infrastructure; US in US. The EU and US deployments run on separate, region-pinned databases (EU on Scaleway, US on DigitalOcean), and a tenant's record lives solely in its home-region database — there is no cross-region replication.
The AI layer is region-local too. Each region calls its own LLM provider directly, at that provider's in-region endpoint — EU tenants to Mistral in France, US tenants to Anthropic in the US — with no shared cross-region aggregator in the path. Prompts are built from redacted findings only (no secrets, no raw manifests), so an EU tenant's text stays in the EU. Provider-side retention and no-training commitments are a separate contractual matter covered by each provider's DPA. See our routing notes for detail.
Raw artifacts auto-delete within 24 hours. Every deletion is written to an append-only, ed25519-signed retention log, so you can independently verify a given artifact was destroyed. See the retention policy.
How a deletion becomes a signed receipt:
Secrets stripped client-side; the redacted dump uploads over TLS to your region.
Object storage in your region; a delete_at of upload + 24h is set at write time. EU uploads add Object-Lock (WORM) write-once enforcement.
Every minute, past-deadline objects (every version) are deleted and each one's SHA-256 recorded.
An ed25519-signed entry is appended to a separate, write-only log bucket — provider- and region-specific (Scaleway for EU, DigitalOcean for US) and replicated to a second region in the same jurisdiction for disaster recovery — and retained permanently.
Each retention-log entry is ed25519-signed over all of the following fields, joined in order — so altering any one of them invalidates the signature:
| Field | Meaning |
|---|---|
| seq | Monotonic 1-based position in the append-only chain. |
| prev_hash | The entry_hash of the previous entry (64 zero chars at seq 1) — links the chain so deleting or reordering any entry is detectable. |
| entry_hash | SHA-256 over the canonical entry (every field except entry_hash and signature), so it folds in seq and prev_hash. |
| timestamp | UTC instant the deletion ran (ISO‑8601). |
| job_id | The audit job, or an age-sweep:… / empty-folders:… id for the scheduled cleanup sweeps (which aren't tied to a single job). |
| tenant_id | Owning tenant (null for the scheduled age / folder sweeps, which aren't tied to one tenant). |
| region | Data-residency region the deletion ran in (eu / us) — backed by Scaleway (EU) / DigitalOcean (US). |
| verb | DELETE (deadline-driven), AGE_SWEEP, or FOLDER_SWEEP. |
| age_seconds | Age threshold applied — 0 for deadline deletes, 86400 for the 24h sweep. |
| deleted_objects | One <object-key>:<sha256> per artifact removed. |
| signature | ed25519 signature (hex) over the fields above. Verify with our published public key. |
To verify offline, recompute two things and check them against the published public key:
entry_hash is the SHA-256 of the entry with
entry_hash and signature removed, serialized as compact JSON with
sorted keys ({"a":1}-style, no spaces). Each entry's prev_hash must equal
the previous entry's entry_hash, and seq must be contiguous — so any edit,
deletion, or reordering breaks the chain.| in exactly this order, with each deleted object appended as
its own segment:
tenant_id is the empty string for the scheduled sweeps that aren't tied to one tenant). Verify that string's
signature with our public key.
The log lives in a dedicated, versioned, private bucket on your data plane's provider
and region — EU (Scaleway) or US (DigitalOcean) —
never public. The cron holds PutObject only, so entries can be appended but never edited or
deleted, and every entry is replicated to a second region within the same jurisdiction for
disaster recovery (the copy never leaves your region). It is reachable only through the authenticated
dashboard, scoped to your own tenant: use Download signed log (JSON) under
Trust → Retention log to export the whole signed entries and verify them offline
as above.
Questions a questionnaire doesn't cover? security@ephemera.sh.
