Security & Privacy FAQ
Short answers to the questions security and procurement teams ask us most — with a direct answer or a link to the policy that covers it.
Last updated: June 2026
Quick answers across topics. Where a policy covers the detail, the answer links to it; some answers stand on their own. Browse the full set in Legal & Compliance, or contact privacy@matterlyt.com with anything we haven't covered.
Company & data location
Where is the product hosted, and where is our data?
The application and all customer data are hosted and processed in Germany (EU), on Hetzner infrastructure — no product data is hosted in the US. (The operating company, Lucido LLC, is incorporated in Florida, USA, but its corporate domicile is separate from where the service runs.) See Security Policy.
Is our data sent outside the EEA for processing?
No — customer data stays in the EU. The only US providers (Cloudflare, Chatwoot) handle website traffic under EU SCCs, not your product data. See Sub-processors.
Where can I find your Privacy Policy?
It's published here. See Privacy Policy.
AI & your data
Is Matterlyt a native AI product or does it use AI integrations?
AI runs under your own provider account (bring-your-own-account) — not an in-house model. See Security Policy.
Do you use our data to train AI models?
No — never, and we don't call any AI provider on our own account. See the DPA.
Authentication & access
How do identity and authentication work?
Google SSO only; we store no passwords, and your Google MFA is enforced at login. See Security Policy.
Who in the company has direct access to our data?
Only the on-call engineers, on a least-privilege basis; each customer runs in its own isolated container with its own database and storage, so tenants can't reach each other's data. See Security Policy.
Security controls
What controls protect against attacks such as brute force and man-in-the-middle?
TLS 1.2+ on every connection (terminated in the EU) blocks interception; brute force has little surface because we store no passwords; DDoS protection is provided at the infrastructure level. See Security Policy.
How is data encrypted, in transit and at rest?
TLS 1.2+ on every connection in transit. Volume-level encryption at rest is in progress and not yet fully deployed; until it is, data at rest is protected by the physical and access controls of our ISO 27001-certified EU data centre plus per-tenant isolation. See Security Policy.
Do you maintain audit logs?
No standalone audit-log feature, but every answer traces to its source and every knowledge-base change is versioned. See Security Policy.
Privacy & data handling
Does the tool require any personal data (PII) to function?
Minimal business-contact data plus the content you upload; cached SSO profile data is deleted when an account is unattached. See Privacy Policy.
What is your data retention and deletion policy?
Account and customer data is deleted immediately on termination; backups are purged within 5 days. See Privacy Policy.
Incidents & changes
How will you inform us about incidents affecting our data or the service?
For a breach affecting your data, we notify you without undue delay after becoming aware. For incidents affecting service availability (e.g. an outage), we keep you informed of status and expected resolution. See Security Policy.
How will you inform us about major changes affecting the service?
Reasonable advance notice of material changes; prior notice and a right to object for sub-processor changes. See Terms of Service.