Security & Trust

The answers you give buyers about us, we can back.

The moment Matterlyt holds your due-diligence answers, you inherit our security posture — and your buyer’s next questionnaire will ask about it. So it’s built the way you’d build it: AI on your own account, isolated per customer, hosted in the EU, and honest about what’s still in progress.

Illustration: several sealed containers in isometric space, each holding its own documents and kept separate — per-customer isolation.
GDPR-ready EU-hosted No AI training on your data

Matterlyt answers AI-governance due diligence credibly because it is built AI-governance-correct by construction — your AI account, your isolation boundary, your jurisdiction. Here is what your reviewer will check, and what they’ll find:

Your AI, your account — by design

Matterlyt does nothing with AI until you connect your own provider. There is no shared or default model, so your content can never reach an account you didn’t configure. Your AI provider processes under your own terms — it is not a Matterlyt sub-processor — and we never use your data to train or fine-tune a model. Point it at an EU region, or at a model you host yourself.

Isolated at the environment level

Every customer runs in its own dedicated container — with its own database, its own storage volume, and its own subdomain. No shared application instance, no shared database, no shared storage. One tenant has no path to another’s data, and a session for one is never valid for another.

Hosted in the EU

The application and all customer data run in Germany, on ISO 27001-certified Hetzner infrastructure. Data is stored at rest in the EU and not outside the EU/EEA. With an EU-region or self-hosted AI endpoint, no third-country transfer occurs.

No passwords to breach

Sign-in is exclusively Google SSO. We store no usernames and no passwords — there is nothing to leak, reuse, or brute-force — and any 2FA on your Google account is enforced automatically at login, inheriting your Workspace policies.

Your data, on your terms

We hold minimal business-contact data plus what you put in the product, and delete it on termination; database backups are purged within days. Every answer keeps its provenance — traceable to the source it was generated from, with full version history.

A short, honest sub-processor list

Hosting on Hetzner (EU), DNS and the marketing site on Cloudflare, support chat on Chatwoot — that is the whole list, engaged under Art. 28 terms with notice of changes. Because AI runs on your own account, no AI provider appears on it.

Built in the open

What we’re still improving

We’d rather tell you than let a reviewer find it. Volume-level encryption at rest is rolling out across our infrastructure and is not yet fully in place; until it is, data at rest is protected by our ISO 27001 data centre, the tenant isolation above, and least-privilege access controls. We update the policy the moment that changes.

The binding detail

This page is the overview. The documents a security reviewer will want:

Questions your questionnaire needs answered? See how Matterlyt answers AI-governance due diligence, or reach us at privacy@matterlyt.com.