BridgekitBridgekit

Security & compliance

Built so the procurement question doesn't have to be re-asked.

Bridgekit's architecture is the answer to GDPR, Schrems II, NIS2 and the EU AI Act, not a feature you bolt on later.

EU-sovereign infrastructure

Compute, database, identity and queues all run inside EU jurisdiction. Off-site backups in France. Transactional email via a French provider. There is no AWS, Azure or Google Cloud anywhere on your customer-data path. Sovereignty is the architecture, not a configuration option.

Encrypted secrets, by default

Every credential your workflows use is wrapped in AES-256-GCM with a versioned envelope on its way to the database. Plaintext lives only in memory during step execution. Logs are scrubbed. Backups are encrypted. Key rotation is supported without re-encrypting at rest.

Multi-tenant isolation

Three independent layers enforce tenant boundaries: query filter, save-changes interceptor, automated integration tests. Database-backed authorization means a stolen JWT alone never grants access, every request is checked against an active membership row before proceeding.

Audit by construction

Every state change in the engine produces a tenant-scoped, queryable audit event. The answer to 'who did what, on whose authority, when' is always one query away. Exportable as evidence, retention configurable per plan.

Compliance frameworks

We don't claim Bridgekit makes you compliant, compliance depends on how you use any tool. What Bridgekit does is take the data-residency and US-cloud-exposure questions off your plate.

Reg. 2016/679

GDPR

EU's general data protection regulation. Bridgekit's hosting and data-processing arrangements stay within the EU, which simplifies your DPIA significantly.

CJEU 2020

Schrems II

Transfers of personal data from the EU to the US generally require additional safeguards. With no CLOUD-Act-exposed providers in the path, the transfer question doesn't arise.

Reg. 2024/1689

EU AI Act

Sets requirements on AI systems used in the EU, including data-source and traceability. Bridgekit's planned LLM integrations are EU-sovereign so 'where does the AI run' has a clean answer.

Dir. 2022/2555

NIS2

Cybersecurity obligations for important and essential entities, including supply chain. A US-cloud SaaS in your pipeline is a NIS2-relevant supply-chain dependency. We aren't one.

Legal frameworks evolve; talk to your DPO or counsel before relying on any tool, including ours, for compliance certification.

Where Bridgekit runs

Application servers and the primary database run on Hetzner Cloud in Germany. Off-site backups go to Scaleway Object Storage in France. Transactional email is delivered by Scaleway TEM in Paris. Identity is Keycloak self-hosted on the same EU-jurisdiction infrastructure. Domain registrations, DNS and TLS are with EU-based providers. We document every dependency in our internal Architecture Decision Records and update this page when the architecture changes.

Need a Data Processing Agreement?

We have a standard DPA template ready. We're happy to negotiate edits with your legal team, direct to a person, not a form.

Request DPA