Skip to main content
ENSK
PracticeElektrikProJARVISBlog
Operations · Security

How Sebrona handles your data.

Sub-processors, retention windows, incident response, and certification status. One page, kept current. Procurement asks the same questions on every deal; this is the answer in writing. DPA contact at the bottom.

Last reviewed · 2026-05-24Next review · 2026-08-24
№ 01 · Sub-processors

Every service we route data through, with region.

Sebrona uses the providers below. Each row names the provider, the region the data resides in, and what the provider does in the system. We update this list before a new provider goes into production, not after. The list covers Sebrona engagement work. Products Sebrona operates (ElektrikPro and others) carry their own sub-processor lists at the product surface.

Cloudflare
EU edge
CDN, edge runtime, WAF for sebrona.com and sebrona.sk.
Supabase
Frankfurt (EU)
Postgres + RLS for engagement-data primary plane. EU-only project.
Anthropic
US (default) · EU (Enterprise)
Hosted Claude inference. Routing policy logged per call.
OpenAI
US · EU Data Boundary opt-in
Hosted GPT-family inference. Used only when a client explicitly opts in.
Groq
US
Low-latency hosted inference for whisper-large-v3-turbo and OSS models where the client allows it.
Mistral
EU (Paris)
Hosted Mistral inference for EU-residency-strict engagements.
Cohere
US · EU available
Reranker (rerank-3) on retrieval top-50 results. Used only when the client opts into a hosted reranker.
Voyage AI
US
Hosted embeddings (voyage-3) for retrieval indexing. Used only on hosted-retrieval engagements; sovereignty-strict deployments use BGE-M3 locally instead.
Sentry
EU (Frankfurt)
Error and performance telemetry. Anonymous UUID only, no PII.
ElevenLabs
US · EU available
Voice synthesis. Used only on opt-in engagements.
M.Z.CONNECT s.r.o.
SK (Bratislava)
Joint controller for ElektrikPro customer data under GDPR Art. 26. Applies only to the elektrikpro.sk product, not to engagement work.
№ 02 · Data retention

Retention windows.

Engagement data (code, configuration, eval prompts, traces) is deleted within 90 days of contract end unless extended in writing. Inquiry data sent to info@sebrona.com or via the contact form is kept for 24 months for legitimate-interest follow-up under GDPR Art. 6(1)(f), then deleted. Sentry telemetry is anonymous UUID-only and rolls off on Sentry's default 90-day retention. No marketing profile is built from any of the above.

№ 03 · Incident response

Incident response, in writing.

Any incident affecting confidentiality, integrity, or availability of customer data is investigated by the lead architect within four hours of detection. Customer notification follows the GDPR Art. 33 72-hour clock, but we aim for the same business day. Post-incident the customer gets a written report: timeline, root cause, blast radius, remediation, and what changed to prevent recurrence. Public status pages are scoped in the engagement spec and stood up when the client wants public-facing uptime disclosure.

Incident ledger · 0 incidents YTD · none since 2026-05-17
Review cadence · Reaffirmed or revised quarterly.
№ 04 · Certifications

Honest status, not a badge wall.

Sebrona is not currently SOC 2 or ISO 27001 certified. We map to the relevant controls in every architecture brief: GDPR Art. 32 security, AI Act Art. 9 risk management, NIS2 Art. 21 cyber, ISO 27001 Annex A where the customer requires it. Controls-mapping is not certification. Customers who need a SOC 2 Type II or ISO 27001 report from their vendor should raise that in the Diagnostic week so it can be scoped before signing.

№ 05 · DPA & contact

Signed DPA on request.

Sebrona ships a draft GDPR Article 28 data-processing agreement that mid-market and enterprise procurement teams have signed without negotiation. If yours needs amendments, send the redline. Security questions, DPA requests, and responsible-disclosure reports all go to the same address.