Trust, demonstrated in the open.

Building a compiler the world can trust means showing the work. We publish our live correctness benchmarks, our security model, and our compliance status, measured against the same standards we hold ourselves to.

Get access View benchmarks Bug Bounty

000%

RUNNING SUITE

Trust, by category

The controls, documents and commitments behind our trust posture, grouped by category.

Risk Profile

Our overall risk posture: the data we touch, where it lives, and the controls that sit behind every category on this page.

Data Access Level

Impact Level

Recovery Time Objective

Product Security

How the product is built and shipped securely, secret-less CI, code review, dependency and supply-chain controls.

Multi-Factor Authentication

SSO Support

Audit Logging

Reports

Audit reports, penetration test summaries and security assessments, available on request.

SOC 2 Report

SOC 3 Report

Penetration Test Report

Data Security

Encryption in transit and at rest, key management, backups and data segregation.

Encryption-at-rest

Encryption-in-transit

Data Backups

Legal

Data Processing Agreement, terms, subprocessor commitments and regulatory alignment.

Subprocessors

Data Processing Agreement

Data Privacy

GDPR and CCPA alignment, data residency, retention and deletion, and our Data Protection Officer contact.

Data Breach Notifications

Data Privacy Officer

Access Control

Authentication, least-privilege authorization, MFA and periodic access reviews.

Password Security

Data Access

Logging

Infrastructure

Hosting, network controls, segmentation and our EU-first provider footprint.

Cloud Infrastructure

Status Monitoring

Separate Production Environment

Endpoint Security

Device hardening, disk encryption, patching and endpoint monitoring.

Disk Encryption

Endpoint Detection & Response

DNS Filtering

Corporate Security

Security training, onboarding and offboarding, and vendor risk management.

Penetration Testing

Incident Response

Security Operations Center

Policies

The internal policies and standards that govern how we operate.

Information Security Policy

Incident Response Policy

Vulnerability Management Policy

Subprocessors

The third parties that may process customer personal data on our behalf. We notify customers in advance before a new subprocessor takes effect, and customers may object under the Data Processing Agreement.

Infrastructure, customer workloads & data

Subprocessor	Purpose	Processing location	Transfer mechanism
IONOS IONOS SE · Montabaur, DE	Bare-metal hosting for customer applications & data	Germany / EU	Not required, EU processing
Amazon Web Services AWS EMEA SARL · Luxembourg	Bare-metal hosting for customer applications & data	EU regions	EU SCCs + EU-US DPF
Google Cloud Google Ireland Ltd. · Dublin, IE	Bare-metal capacity & on-demand burst VMs	EU	EU SCCs + EU-US DPF
Cloudflare Cloudflare, Inc. · US	CDN, DDoS protection / WAF, Workers & KV	Global edge network (incl. EU)	EU SCCs + EU-US DPF

Business processes & SaaS

Subprocessor	Purpose	Processing location	Transfer mechanism
Microsoft 365 Microsoft Ireland Operations Ltd. · Dublin, IE	Email (Exchange Online), Office & document editing	EU	EU SCCs + EU-US DPF
Stripe Stripe Payments Europe, Ltd. · Dublin, IE	Payment processing, billing & invoicing	EU (some processing via Stripe, Inc., US)	EU SCCs + EU-US DPF
PostHog PostHog, Inc. · EU Cloud	Product & web analytics	EU, AWS eu-central-1 (Frankfurt)	EU SCCs
Notion Notion Labs, Inc. · US	Internal knowledge management	USA	EU SCCs + EU-US DPF
Resend Resend, Inc. · US	Transactional email delivery	AWS infrastructure (region per Resend's subprocessor list)	EU SCCs