manibor
Paris · MMXXVIEN/FR
Folio № 001 / FY26 · Compliance packLast revision · 2026-05-14

Compliance & security.

We are a production AI studio, not a CISO-as-a-service. Below is the posture we commit to today, the documents we share under NDA, and the controls we have implemented internally. We are happy to walk a security or DPO team through any of it on a 30-minute call.

1. Stance

We build AI features that touch real user data in regulated environments. That means we treat data handling, auditability, and model-provider terms as part of the engineering scope, not as a separate compliance line item bolted on later.

We are GDPR-ready, we are not ISO 27001 or SOC 2 certified today. Where a client requires either, we operate inside their security envelope (their identity provider, their cloud tenancy, their logging) and document our share of the control matrix.

2. Data residency

  • Default infrastructure: Vercel (US edge with EU regions available), Postgres host in the EU, model inference in EU regions when the provider offers it.
  • EU-only mode (on request): Vercel EU region pinning, OVH or Scaleway hosting, model inference via Anthropic on AWS Bedrock EU, OpenAI on Azure EU, or Mistral (FR-native). We document the data flow and the egress surface in the architecture deliverable.
  • Client-tenant mode: we deploy into your VPC, your cloud account, your container platform. No data leaves your perimeter.

3. Model providers & data handling

  • Anthropic, OpenAI, Mistral, Google Vertex. Enterprise tier contracts when the scope or sector requires it. Zero data retention and no training on client data are contractual defaults on the enterprise tiers we use.
  • We pass model-provider DPAs through to the client and align retention windows with the strictest of (a) the provider default, (b) your DPA, (c) the regulatory floor for your sector.
  • Where the use case allows, we minimize raw prompts: redaction of personal identifiers, tokenization of sensitive fields, and structured outputs over free-form text wherever it does not degrade the agent.

4. Subprocessors

Our standard stack of subprocessors for a typical engagement. The exact list is scoped per project and shared in writing.

  • Hosting: Vercel Inc. (US, EU regions available)
  • Model providers: Anthropic PBC (US), OpenAI LLC (US), Mistral AI (FR), Google LLC (US, Vertex EU regions)
  • Database: Neon, Supabase, or client-provided Postgres
  • Vector storage: pgvector inside the project database, or Pinecone EU when scale requires
  • Observability: Axiom, Logflare, or client-provided observability
  • Email: Resend or Postmark on request

We update the list when we add or remove a subprocessor mid-engagement, with advance notice.

5. Technical & organizational measures (TOMs)

  • Access control: least-privilege by default. Engineers have access only to the repositories and environments scoped to their mission. MFA enforced on every admin surface (Vercel, model providers, Postgres, GitHub).
  • Secrets management:Vercel encrypted environment variables or the client’s secrets manager. No secrets in repo, no secrets in logs.
  • Encryption: TLS 1.2+ in transit, AES-256 at rest on managed providers. Database backups encrypted.
  • Logging & audit: structured logs with PII redaction before write. 90-day default retention, configurable per engagement. Tool-use traces of AI agents are recorded for evaluation and incident analysis.
  • Incident response: initial acknowledgement within 24 hours of detection, post-mortem within 7 days, named contact during the engagement and the 30-day warranty window. Optional retainer for continued on-call coverage.
  • Engineer offboarding: access revoked the day a mission ends, logged.

6. PII & sensitive data

  • Personal identifiers are minimized at ingestion. We do not collect what we will not use.
  • Logs are redacted before storage. We default to opt-in for any logging that could capture user content.
  • We never train on client data. Our subprocessors never train on client data (contractually enforced on the enterprise tiers we use).
  • Right of access, rectification, and erasure flows are designed into every agent we ship that touches identifiable users.

7. What is out of scope

The following sit outside our default delivery and need a scoped sub-engagement, a partner, or both:

  • PCI-DSS card-data handling beyond tokenized references
  • HIPAA / PHI workloads (we support EU health data under GDPR and the upcoming EHDS framework on request)
  • Classified or defense-grade environments
  • SOC 2 or ISO 27001 audit deliverables produced by us (we support the audit, we do not author it)

8. Documents available on request

Under NDA, before or during the engagement:

  • Standard DPA template aligned with EU SCCs
  • Full subprocessors list with country of processing
  • TOMs one-pager (this page, condensed)
  • Architecture diagram of the data flow for your specific scope
  • Response to your security questionnaire (most common vendor due diligence questionnaires answered in < 5 business days)
  • DPIA support and review
  • NDA template (or signature of yours)

9. Contact

Security, compliance, DPO inquiries: jerome@manibor.com. Initial response within one business day.

← Back to manibor.com