SECURITY & COMPLIANCE

Built for European data sovereignty

Every memory your AI agents create stays in the EU. GDPR compliance is not a feature you configure — it's the default.

🇪🇺 EU Data Residency GDPR Art. 17 Compliant DPA Available

01 — Infrastructure

Infrastructure & Hosting

Every layer of the stack is designed with data isolation and EU residency from day one.

Data location

All data stored on Supabase PostgreSQL, hosted on AWS eu-central-1 (Frankfurt, Germany). Data never leaves the EU.

Database encryption

Data encrypted at rest (AES-256). TLS 1.3 in transit. pgvector index isolated per API key.

API security

SHA-256 hashed API keys. Keys never stored in plain text. kv- prefix used for identification only.

Network

API hosted on Railway (EU region). Cloudflare Workers for frontend edge delivery. DDoS protection by default.

01b — Architecture

Security architecture

End-to-end view of how a request flows through Kronvex — and where security controls are enforced at each layer.

CLIENT REQUEST  (HTTPS / TLS 1.3)
      │
      ▼
API LAYER       Cloudflare edge → Railway EU region
      │           DDoS protection, rate limiting
      │
      ▼
AUTH            X-API-Key header required
      │           SHA-256 hash comparison (key never stored plain)
      │           Quota check (plan limits enforced)
      │
      ▼
APPLICATION     FastAPI (Python), isolated per API key scope
      │           Tenant isolation enforced at query level
      │           Memory TTL checked before serving
      │
      ▼
pgvector DB     Supabase PostgreSQL — AWS eu-central-1 (Frankfurt, EU)
      │           AES-256 at rest · vector index scoped per key
      │           Data never leaves the EU
      │
      ▼
BACKUPS         Automated daily backups (Supabase managed)
                Point-in-time recovery · EU region only

02 — GDPR

GDPR Compliance

A concrete mapping of GDPR articles to how Kronvex implements them — no vague promises.

Article	Requirement	How Kronvex handles it
Art. 5	Data minimization	Only content + embedding stored. No PII collected unless in memory content.
Art. 13/14	Transparency	Privacy policy at /privacy. DPA available on request.
Art. 17	Right to erasure	`DELETE /api/v1/agents/{id}/memories` — instant, permanent deletion.
Art. 20	Data portability	`GET /api/v1/agents/{id}/memories` — full export via API.
Art. 25	Privacy by design	EU hosting by default, no cross-border transfer, memory TTL available.
Art. 28	Processor agreement	Standard DPA available at kronvex.io/dpa. Contact enterprise@kronvex.io
Art. 32	Security measures	AES-256 at rest, TLS 1.3 in transit, API key hashing.

02b — Sub-processors

Sub-processors & Data Chain

Complete list of third-party processors involved in the Kronvex data chain, with their role, data handled, and GDPR status.

Sub-processor	Role	Data processed	Hosting	GDPR status
Supabase AWS eu-central-1, Frankfurt 🇩🇪	PostgreSQL database + vectors	Memories, agents, hashed API keys	EU — Frankfurt	DPA signed
Railway EU region	API hosting	Requests in transit (not persisted)	EU	DPA available
Cloudflare Workers	CDN + static frontend	No personal data	Global CDN	—
OpenAI US, DPF-certified	Embeddings only (text-embedding-3-small)	Memory content at embedding time	US — DPF + SCCs	DPF certified
Resend	Transactional email	User email address only	US	SCCs
Stripe	Payments	Billing data only	US	DPF certified

The complete list of sub-processors is available on request and in our standard DPA.

European legal entity — CLOUD Act inapplicable

Kronvex is incorporated as a European legal entity. Unlike US-based providers (Mem0, Zep, Letta), we are not subject to the US CLOUD Act (18 USC § 2713) or FISA orders. Your data cannot be compelled by non-European authorities, even if it temporarily transits through DPF-certified sub-processors for embedding generation.

03 — Data lifecycle

How memory data moves through the system

From creation to deletion, here is exactly what happens to your data at each stage.

1

Memory created

Content encrypted, embedding generated (OpenAI API call), stored in Supabase EU. The vector index is scoped to your API key.

2

Memory recalled

pgvector cosine similarity search. No LLM call at read time. Content returned with confidence score.

3

Memory expired

TTL reached → automatic soft delete. Disk space freed within 24 hours.

4

Memory deleted

Explicit DELETE request → immediate hard delete. Cannot be recovered.

Note on OpenAI: OpenAI is called once at write time to generate the embedding vector. The content is sent to OpenAI's API during this step. If you need to avoid any third-party data processing, use a local embedding model and contact us.

03b — Data processing

Data processing

Where your data is stored, how long it is kept, and how it is protected — with no ambiguity.

Where data is stored

All agent memories are stored in Supabase PostgreSQL hosted on AWS eu-central-1 (Frankfurt, Germany). No data is replicated or processed outside the EU. Embeddings are generated via the OpenAI API (write-time only) and the vectors are then stored in the EU database.

Retention

Memories are retained until explicitly deleted via the API (DELETE /api/v1/agents/{id}/memories) or until account deletion. Optional TTL can be set per memory. Upon account deletion, all associated data is permanently purged within 30 days.

Encryption

At rest: AES-256 via Supabase managed encryption. In transit: TLS 1.3 enforced on all connections between client, API, and database. API keys are stored as SHA-256 hashes — the plaintext key is never persisted.

Third-party processors

OpenAI (embedding generation, write-time only), Supabase (database), Railway (API hosting, EU region), Cloudflare (edge/CDN), Resend (transactional email). Full list available in our DPA upon request.

04 — Key management

API Key Security

Your API keys are designed so that not even Kronvex can recover them after issuance.

✓

Cryptographically random Generated with secrets.token_urlsafe(32) from Python's stdlib. 256-bit entropy.

✓

Hashed at rest Stored as SHA-256 hash. The raw key is sent to you once — we never see it again.

✓

Rotate anytime Rotate your key at any time from the dashboard. Old key is invalidated immediately.

✓

Scoped keys (coming soon) Fine-grained permissions per key — read-only, per-agent, or time-limited.

# How Kronvex stores your key (verifiable in our open auth.py)
import hashlib, secrets

def generate_key():
    raw = "kv-" + secrets.token_urlsafe(32)
    key_hash = hashlib.sha256(raw.encode()).hexdigest()
    return raw, key_hash  # raw sent to you once, hash stored

# We only ever compare hashes:
def verify_key(provided_key, stored_hash):
    return hashlib.sha256(provided_key.encode()).hexdigest() == stored_hash

05 — Commitments

What we don't do

Explicit commitments on how your data is never misused.

✗ We do not sell or share your data with third parties.
✗ We do not train AI models on your agent memories.
✗ We do not store API keys in plaintext.
✗ We do not transfer data outside the EU without explicit consent.
✗ We do not retain deleted memories after deletion.
✗ We do not use cookies for tracking — only session authentication.

06 — Enterprise

Enterprise compliance

Need more than standard compliance? We support procurement and legal processes for larger teams.

Need a signed DPA?

Standard DPA available at kronvex.io/dpa. Contact enterprise@kronvex.io for custom terms.

Custom data retention?

Custom retention policies, TTL configuration, and data isolation options on the Enterprise plan.

Security audit?

Architecture review and security audit available on request for Scale and Enterprise customers.

Industry-specific compliance guides: Healthcare & GDPR Art. 9 · Fintech & DORA

Penetration testing: An independent penetration test of the full Kronvex stack is planned for Q3 2026, conducted by a third-party security firm. Results summary will be shared with Enterprise customers upon request.

Ready to deploy Kronvex in a regulated environment?

Let's talk compliance, DPA, and custom architecture.

VIEW ENTERPRISE →

07 — Responsible disclosure

Report a vulnerability

If you discover a security vulnerability in Kronvex, please disclose it responsibly to security@kronvex.io. We respond within 48 hours, work with you to understand the scope, and credit responsible disclosures publicly (unless you prefer to remain anonymous).