Trust & Security - European Data Sovereignty & Compliance

Trust you can verify.

We sell security. That means we need to be beyond doubt about our own. Here is exactly how we handle your data - no marketing translation.

STACK SELECTION

Our principles for stack selection

Every component in Alliance42 is chosen by one filter: what is best for the customer's security, sovereignty and long-term independence.

Open source or from a European-headquartered company
Data hosted in the EU
No US cloud dependencies for customer data
The vendor must have existed long enough to prove its stability - we do not choose startups for critical components
No vendor kickbacks influence our choices
Every component is evaluated against the EU First Index sovereignty scoring

Our full subprocessor list is below · we publish it here as well as in your DPA. Where a vendor has dependencies outside the EU, we are upfront about it. We are happy to walk through the stack choices on a call.

SUBPROCESSORS

Our subprocessors

These are the data processors we rely on to deliver Alliance42 services. The DPA contractually commits us to 30 days advance notice before adding or replacing any subprocessor.

Processor	Service	Location	Data processed
Hetzner Online GmbH	Server hosting and infrastructure	Falkenstein, Germany (EU)	All website data, database, files
Supabase (self-hosted on Hetzner)	Database	Hetzner, Germany (EU)	Contact submissions, estimates, CRM data
Proton Technologies AG	Email (SMTP)	Geneva, Switzerland (adequacy decision)	Email addresses, names, message content
Crisp IM SAS	Live chat widget	France (EU)	Chat messages, browser info (only after consent)
n8n (self-hosted on Hetzner)	Workflow automation	Hetzner, Germany (EU)	Contact and estimate data for email notifications
Plausible Insights OÜ	Cookieless website analytics	Estonia (hosted on Hetzner Germany)	None · Plausible processes no personal data and sets no cookies
WithSecure Oyj	Endpoint protection engine for A42-C and A42-CC clients	Finland (EU)	Service-only · processes client endpoint telemetry, not website visitor data

Hetzner Online GmbH

Service: Server hosting and infrastructure

Location: Falkenstein, Germany (EU)

Data processed: All website data, database, files

Supabase (self-hosted on Hetzner)

Service: Database

Location: Hetzner, Germany (EU)

Data processed: Contact submissions, estimates, CRM data

Proton Technologies AG

Service: Email (SMTP)

Location: Geneva, Switzerland (adequacy decision)

Data processed: Email addresses, names, message content

Crisp IM SAS

Service: Live chat widget

Location: France (EU)

Data processed: Chat messages, browser info (only after consent)

n8n (self-hosted on Hetzner)

Service: Workflow automation

Location: Hetzner, Germany (EU)

Data processed: Contact and estimate data for email notifications

Plausible Insights OÜ

Service: Cookieless website analytics

Location: Estonia (hosted on Hetzner Germany)

Data processed: None · Plausible processes no personal data and sets no cookies

WithSecure Oyj

Service: Endpoint protection engine for A42-C and A42-CC clients

Location: Finland (EU)

Data processed: Service-only · processes client endpoint telemetry, not website visitor data

INFRASTRUCTURE

Our infrastructure

All hosting infrastructure runs on data centres in Germany. The data centres are ISO 27001:2022 and BSI C5 Type 2 certified.
We do not use AWS, Google Cloud, Microsoft Azure or any other US-incorporated cloud provider for data processing. No American cloud services.
Why it matters: the US CLOUD Act gives American authorities the right to demand access to data at US-incorporated cloud providers - regardless of where the data is physically stored. By keeping our entire stack on European infrastructure, we eliminate that exposure.
No Google Analytics, no Meta Pixel, no advertising cookies. Our analytics is cookie-free, hosted in the EU, and so privacy-friendly that tracker blockers block it by default. We accept the data loss because it is the right tradeoff.

Transparency

Your Data With Us

When you use our estimator

Your price calculation runs on our server, not in your browser. Nobody can read our pricing model or your numbers.
We only store what you enter. No hidden tracking, no third-party scripts.
If you become a client, we transfer your information to your dedicated portal. If we do not hear from you, we automatically anonymize your personal data.
You can always request full deletion.

What we DON'T do

We do not sell your data.
We do not track your behavior across pages.
We do not share your information with third parties.
We do not use your data to train AI models.
We do not place advertising or marketing cookies.

COMPLIANCE

Where we are on the compliance journey

ISO 27001

We are actively working towards certification. Our underlying data centres are already ISO 27001:2022 and BSI C5 Type 2 certified. We apply the framework internally.

NIS2

We apply the NIS2 Article 21 framework internally with the same rigour as we help our customers implement. Documentation proportional to our size - we are not under supervision yet, but we follow the framework anyway.

GDPR

Built in from day one. All data processing in the EU. Draft DPA published - awaiting legal review before formal agreements. The full list of sub-processors is in your DPA.

If anything here is wrong or unclear...

If anything on this page is unclear, that is my fault. Write to me, and I will fix the page and answer your question.

Write to us

“If something on this site is unclear, that's on me. Send me a message and I'll fix the page, and answer your question.”

Tobias Lauge JensenFounder & CEO, Alliance42

Your place in the Alliance is waiting.

No sales team. No call center. Just me.

Estimate your priceCall Tobias