Trust Center

Security and Trust

Agensio was designed from day one for the security and compliance requirements of European SMEs. EU data residency, CASA Tier 2 audit passed, end-to-end encryption, public subprocessor registry.

GDPR and UK GDPR compliance

Agensio is compliant with the General Data Protection Regulation (EU 2016/679) and UK GDPR. We act as a processor under article 28 GDPR for data you process through our agents. A DPA (Data Processing Agreement) addendum is available upon request at bonjour@agensio.fr, electronically signed via DocuSign. The list of subprocessors (Supabase, Stripe, Resend, Anthropic, OpenAI, Twilio) is published on this page and notified 30 days before any change.

CASA Tier 2 audit - 9.1/10 score

In April 2026, Agensio passed the CASA (Cloud Application Security Assessment) Tier 2 audit conducted by TAC Security, a Google-certified evaluator. Final score: 9.1 out of 10. The audit covers 4 areas: governance, incident response, application security, data protection. The detailed report and the 4 source policies (Incident Response, Information Security, Privacy, Vulnerability Disclosure) are available in our data room under NDA.

Hosting and data residency

All customer data is hosted in Europe, primarily with Supabase Pro in the Frankfurt datacenter (Germany, AWS Frankfurt eu-central-1). No customer data is transmitted to or stored in the United States. Agensio is not subject to the US Cloud Act: Supabase Pro EU is an Irish entity, under exclusive European jurisdiction. For enterprise accounts, a French sovereign cloud option (OVHcloud, Outscale or Scaleway) is available on quote.

Encryption and access

All communications use TLS 1.3 (HTTPS) with HSTS preload, modern ciphers only, Let s Encrypt certificates auto-renewed. Data at rest is encrypted AES-256 on Supabase. Secrets (OAuth tokens, customer API keys, passwords) are encrypted at application level with key rotation. Agensio admin access requires mandatory MFA and is logged in an immutable audit trail.

Penetration testing and responsible disclosure

Agensio conducts an annual external penetration test by a CESTI-certified provider. The most recent test took place in April 2026 with no critical vulnerability found. Our /.well-known/security.txt file exposes the security contact (security@agensio.fr) and responsible disclosure policy. Security researchers can report a vulnerability confidentially; confirmed issues lead to public acknowledgement (hall of fame).

Backups and continuity

Postgres point-in-time recovery (PITR) for at least 7 days, daily snapshots kept 30 days, multi-AZ replication. Target RPO: 5 minutes. Target RTO: 4 hours for major incidents. The disaster recovery plan is documented in docs/security/DEPLOYMENT_RUNBOOK.md and tested every 6 months.

Subprocessors

Current public list: Supabase Inc. (Ireland, database hosting), Vercel Inc. (USA, frontend hosting, technical data only, no PII), Stripe Payments Europe Ltd. (Ireland, payments), Resend Inc. (USA, transactional email), Anthropic PBC and OpenAI Inc. (USA, LLM processing), Twilio Ireland Ltd. (Ireland, SMS and voice), Sentry (Germany, monitoring). Any personal data sent to LLM providers (Anthropic, OpenAI) follows ZDR (Zero Data Retention) agreements: no training, no retention beyond 30 days.

Security contact

To report a vulnerability, request a DPA, or ask a compliance question:

  • security@agensio.fr , vulnerabilites, audits
  • Data Protection Officer (DPO): bonjour@agensio.fr

Page updated on May 27, 2026.