Help · Security & GDPR

Security & GDPR

Data residency, DPA, subprocessors, right-to-erasure, SSO, audit logs.

Where is my data stored?

EU regions only. Postgres database in EU-West-1 (Supabase, AWS Frankfurt), edge function workers in EU PoPs, file storage in EU-West-1 (Supabase Storage). No data leaves EU borders. Full data-flow diagram.

Do you offer a Data Processing Agreement (DPA)?

Yes. Read or download our DPA. It covers GDPR Article 28 obligations, sub-processor list, security measures, data-breach notification (72h), and your rights as data controller.

Subprocessors list

Easy RFP uses these subprocessors: Supabase (database + auth + storage), Cloudflare (CDN + Pages), Resend (transactional email), Stripe (billing), Apify (hotel data enrichment, EU-region only), Anthropic + OpenAI (proposal parsing, zero-data-retention contracts). Full list with regions and DPA links.

GDPR right-to-erasure

Hotels can request data erasure from their hotel dashboard (Article 17). Planners can request erasure via [email protected]. Both routes complete within 30 days and we provide written confirmation.

SSO (SAML)

Available on Team and Enterprise plans. Configure under /app/admin/sso. We support Okta, Azure AD, Google Workspace, and any SAML 2.0 IdP. Domain claim required (we verify ownership before activating).

Audit log

Enterprise plans get a hash-chained audit log of every state-changing action (RFPs, proposals, user invites, billing changes, data exports). Tamper-evident SHA-256 chain — verify integrity at /app/admin/audit any time.

Still stuck? Email [email protected] — average response < 24 hours.

Other categories