Security Policy
The technical and organisational measures that protect the data you trust us with (Art. 32 GDPR).
Last updated: June 2026
This policy sets out the technical and organisational measures (Art. 32 GDPR) that protect data processed in the Matterlyt product. It is our statement of those measures and serves as Annex 2 to our Data Processing Agreement.
1. Infrastructure & data residency
The Matterlyt application and all customer data are hosted in Germany (EU) on Hetzner infrastructure, in ISO 27001-certified data centres. Customer data is stored at rest in the EU and is not stored outside the EU/EEA.
2. Tenant isolation
Matterlyt isolates each customer at the environment level, not just the database. Every customer runs in its own dedicated container, with its own storage volume, own database, and own subdomain — customers share no application instance, no database, and no storage. One tenant's container has no path to another tenant's data. Sessions are scoped to each customer's subdomain, so a session for one customer is never valid for another.
3. Encryption
- In transit: all connections to the service are encrypted with TLS 1.2+, terminated at our reverse proxy on EU infrastructure (see §6), preventing eavesdropping and man-in-the-middle interception.
- At rest: volume-level encryption of customer data at rest is in progress and not yet in place across our infrastructure. Until it is fully deployed, data at rest is protected by the physical and organisational controls of our ISO 27001-certified EU data centre together with the tenant isolation (§2) and access controls (§5) described here. We will update this section once encryption at rest is fully deployed.
4. Identity & authentication
Sign-in to Matterlyt is exclusively through Google SSO (OAuth). We do not store usernames or passwords on our servers — there is no Matterlyt password database to breach, leak, or brute-force, and no risk of credential reuse from other sites. Because authentication is delegated to Google, any multi-factor authentication (2FA) configured on the customer's Google account is enforced automatically at login, so identity and session security inherit your Google Workspace policies.
5. Access control
Direct access to production customer data is restricted to the on-call engineers on a least-privilege basis, for operations and support only. Administrative and SSH access to our servers is reachable only over a private, authenticated network — never the public internet, and a host firewall limits public exposure to the application itself. There are no shared administrative credentials, and administrative access is logged.
6. Network & application security
Traffic reaches the application through a reverse proxy on our EU infrastructure, which terminates TLS 1.2+ using certificates from a public certificate authority (Let's Encrypt), protecting against man-in-the-middle attacks. DDoS protection is provided at the infrastructure level by our EU hosting provider. Brute-force and credential-stuffing attacks have little surface here because we store no passwords — authentication is delegated to Google SSO (see §4). Cloudflare provides DNS for our domains and hosts our separate marketing website.
7. Logging & traceability
Matterlyt does not currently expose a separate security audit-log feature, but the product is built around provenance and versioning: every questionnaire answer can be traced back to the source(s) it was generated from, and every change to the knowledge base is kept with its history. Administrative access to production is logged operationally.
8. Vulnerability & patch management
We monitor our dependencies for known vulnerabilities and apply security updates promptly. All tenant instances run the same versioned container image, so a single deployment patches every customer at once — there are no unpatched or drifting instances. These measures are reviewed regularly.
9. Backups, availability & continuity
Customer data is backed up within the EU; database backups containing customer data are purged within 5 days of deletion. Infrastructure-level DDoS protection and our EU hosting provider's resilience help keep the service available; in the event of disruption, we work to restore service promptly and keep affected customers informed.
10. Incident response & breach notification
We maintain a documented process to detect, contain, assess, and remediate security incidents. Where a personal-data breach affects data we process on a customer's behalf, we notify the affected customer (the controller) without undue delay after becoming aware of it, consistent with Art. 33(2) GDPR, including the information needed for the customer's own reporting obligations under Art. 33–34. For incidents affecting service availability rather than data security, we keep affected customers informed of status and expected resolution. Report a suspected vulnerability or incident to privacy@matterlyt.com.
11. Sub-processor governance
Sub-processors are engaged under Art. 28 terms; the current list and locations are on our sub-processors page. We give prior notice of changes with a right to object on reasonable data-protection grounds.
12. AI data handling
Matterlyt operates on a bring-your-own-account model: AI inference runs under the customer's own AI-provider account (your API key, an EU-region endpoint, or a self-hosted model). The AI provider processes under your account and terms and is not a Matterlyt sub-processor. We do not use your data to train or fine-tune any model, and we do not send your content to any AI provider on our own account.
13. Personal data & retention
We process minimal business-contact data (name, business email, role) and the content you put into the product. Profile data cached from Google SSO is deleted when an account is unattached. Account and customer data is deleted immediately on contract or account termination; the full schedule is in our Privacy Policy and DPA.
14. Related documents
Data-retention and deletion periods are set out in our Privacy Policy. See also our Data Processing Agreement, Sub-processors, and Terms of Service. For anything not covered here, contact privacy@matterlyt.com.