Audit chain verification
Every workspace publishes its JWKS at /v1/<workspace>/.well-known/jwks.json. Daily Merkle roots let you recompute the chain end-to-end and prove no row was tampered with.
— trust centre
Auditable before the first sales call.
Procurement teams shouldn't have to negotiate access to basic facts. The full sub-processor register, the residency map, the certification roadmap, and the contractual commitments live on this page so a buyer can vet Estøkad without touching us.
— quick access
The procurement starter pack.
Security posture
Encryption, KMS, audit chain, vulnerability disclosure.
Read →Data processing addendum
GDPR Article 28. Sub-processor authorisation. Breach notification within 24h.
Read →Privacy policy
What we collect, why, retention table, GDPR rights routing.
Read →Acceptable use
Content + conduct prohibitions. Notice and takedown. Enforcement.
Read →Imprint (Õigusteave)
Legal entity, registry, supervisory authority, competent court.
Read →Security questionnaire
Send your CAIQ, SIG, or company-specific questionnaire. We turn it round.
Email →— sub-processors
Every third party in the data path.
Customers are notified at least 30 days before a new sub-processor is added. Workspaces with module-gated sub-processors (e.g. WorkOS for SAML/SCIM) only have those entries in their effective register. The Studio version of this register lives at /settings/compliance/sub-processors per workspace.
| Processor | Role | Country | Mechanism |
|---|---|---|---|
| Scaleway SAS Infrastructure | Infrastructure (PostgreSQL, Object Storage, container hosting) | France | EU-domiciled — DPA |
| Bunny.net CDN | CDN for asset delivery and imgproxy variants | Slovenia | EU-domiciled — DPA |
| Cloudflare CDN / DNS | DNS, edge TLS termination | United States (EU operations) | SCCs + EU operations |
| Resend | Transactional email (magic links, contact form, alerts) | United States (EU region in use) | SCCs + EU region |
| Stripe Payments Europe Ltd. Billing | Billing, payment processing, invoices | Ireland | EU-domiciled — DPA |
| Sentry GmbH Observability | Error monitoring and observability (EU instance) | Germany | EU-domiciled — DPA |
| WorkOS SSO | SAML/SCIM identity (only when SAML/SCIM module active) | United States | SCCs — activated per-customer |
| Kontrol Sentinel Analytics | Marketing-site analytics (consent-gated) | European Union | EU residency |
— residency
Where customer content can live.
Each region is an independent Postgres + Object Storage + queue stack. There is no cross-region replication. Switching regions is a migration with parallel-period verification, not a config change. Sovereign-cloud (customer-dedicated) is available on the Sovereign tier.
| Region | Country | Datacenter | Availability |
|---|---|---|---|
eu-fra-1 | Germany | Frankfurt | Default — included |
eu-bru-1 | Belgium | Brussels | Belgium residency module |
eu-par-1 | France | Paris | EU residency module |
eu-ams-1 | Netherlands | Amsterdam | EU residency module |
eu-lux-1 | Luxembourg | Luxembourg | EU residency module |
ch-zrh-1 | Switzerland | Zurich | Switzerland residency module |
— customer rights
What you're entitled to.
Residency proofs
One signed JSON proof per UTC day per workspace, listing entry counts, asset counts, total bytes. Bundled into the DORA evidence pack; downloadable individually.
Exit plan export
On termination you have 90 days to export every byte: schemas as TypeScript, content as JSON, assets as a tar archive, audit log as JSONL. Not a contractual favour — a contractual right.
Breach notification
Personal-data breach affecting customer data: notification within 24 hours of awareness (GDPR Art. 33 baseline is 72; we shorten it). Notifications go to the workspace owner email plus the configured security@ contact.
On-site audit
Enterprise- and Sovereign-tier customers may audit on reasonable notice, at the auditor's expense. SOC 2 Type II report (when issued) covers the vast majority of typical scope.
AKI complaint channel
Customers and end-users may complain about our processing to Andmekaitse Inspektsioon (Tatari 39, 10134 Tallinn). The supervisory authority is independent; we do not see complaint contents.
— before signing
Talk to us.
Procurement questions go to legal@samarkandindustries.com. Privacy-specific questions to privacy@samarkandindustries.com. Security questionnaires (CAIQ, SIG, customer-specific) to security@samarkandindustries.com. Five business-day turnaround on security questionnaires; one business day on the rest.