How Sebrona handles your data.
Sub-processors, retention windows, incident response, and certification status. One page, kept current. Procurement asks the same questions on every deal; this is the answer in writing. DPA contact at the bottom.
Every service we route data through, with region.
Sebrona uses the providers below. Each row names the provider, the region the data resides in, and what the provider does in the system. We update this list before a new provider goes into production, not after. The list covers Sebrona engagement work. Products Sebrona operates (ElektrikPro and others) carry their own sub-processor lists at the product surface.
Retention windows.
Engagement data (code, configuration, eval prompts, traces) is deleted within 90 days of contract end unless extended in writing. Inquiry data sent to info@sebrona.com or via the contact form is kept for 24 months for legitimate-interest follow-up under GDPR Art. 6(1)(f), then deleted. Sentry telemetry is anonymous UUID-only and rolls off on Sentry's default 90-day retention. No marketing profile is built from any of the above.
Incident response, in writing.
Any incident affecting confidentiality, integrity, or availability of customer data is investigated by the lead architect within four hours of detection. Customer notification follows the GDPR Art. 33 72-hour clock, but we aim for the same business day. Post-incident the customer gets a written report: timeline, root cause, blast radius, remediation, and what changed to prevent recurrence. Public status pages are scoped in the engagement spec and stood up when the client wants public-facing uptime disclosure.
Honest status, not a badge wall.
Sebrona is not currently SOC 2 or ISO 27001 certified. We map to the relevant controls in every architecture brief: GDPR Art. 32 security, AI Act Art. 9 risk management, NIS2 Art. 21 cyber, ISO 27001 Annex A where the customer requires it. Controls-mapping is not certification. Customers who need a SOC 2 Type II or ISO 27001 report from their vendor should raise that in the Diagnostic week so it can be scoped before signing.
Signed DPA on request.
Sebrona ships a draft GDPR Article 28 data-processing agreement that mid-market and enterprise procurement teams have signed without negotiation. If yours needs amendments, send the redline. Security questions, DPA requests, and responsible-disclosure reports all go to the same address.