← Back to ercel.ai

Security & Data Protection

How Ercel Security protects your data and our infrastructure.

Security standards

GDPR
EU Data Residency
TLS 1.3
AES-256

EU Data Residency

All Ercel Security infrastructure resides within the European Union. Scan results are processed via Anthropic API (USA) for findings enrichment, under the EU-US Data Privacy Framework (see privacy policy).

Hetzner

Application servers in Germany

Falkenstein, Germany

Supabase

PostgreSQL database in EU region

EU region

Cloudflare

CDN and WAF with European endpoints

EU endpoints

Resend

Transactional email processing in EU

EU processing

Encryption & Infrastructure

Encryption

  • TLS 1.3 for all connections in transit
  • AES-256 encryption at rest (Supabase / PostgreSQL)
  • No plaintext storage of sensitive data
  • Payments via Stripe (PCI DSS Level 1) — no card data touches our systems

Infrastructure

  • Isolated process with resource limits
  • Firewall with reverse proxy (Caddy) — direct traffic blocked
  • Automated health checks and monitoring
  • SSRF protection: blocks localhost, private IPs, and metadata endpoints
  • Graceful shutdown for zero data loss

Black-Box Methodology (External Assessment)

We assess your AI system from the outside, with no access to internal systems. Scan results are processed via Anthropic API to enrich findings with regulatory context (full details in our privacy policy).

  • We only interact with publicly accessible system endpoints
  • Text-only interactions via the public interface
  • No access to source code, databases, or infrastructure
  • Equivalent to what a real attacker or regulatory inspector would see

Data Protection (GDPR)

We follow strict data minimization and retention policies compliant with the General Data Protection Regulation.

  • Assessment data automatically deleted after 90 days
  • Immediate deletion request via [email protected]
  • Prospect data anonymization after retention period
  • No tracking cookies — only Plausible Analytics (privacy-first, no cookies)

Your rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erasure of your data
  • Data portability
  • Object to processing
  • Restrict processing

Contact: [email protected]. Supervisory authority: Spanish Data Protection Agency (AEPD).

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a vulnerability in our systems, we appreciate responsible disclosure.

  • Contact: [email protected]
  • Acknowledgment of receipt within 48 hours
  • Initial assessment within 5 business days
  • No legal action against researchers acting in good faith
  • See /.well-known/security.txt for machine-readable disclosure policy

Last updated: March 2026. Security inquiries: [email protected]