// Security one-pager · for procurement, compliance, DPOs

Security & data flow — straight answers.

Operator
Anova IT, s.r.o.
Hosting
AWS Frankfurt
Encryption
TLS 1.3 + AES-256
Governing law
Czech Republic
Uptime target
99.5% / month
Training on your data
Never
// Data flow · where bytes go

What leaves your browser. And what doesn't.

Your browser Lasso content only No clipboard · no keylog TLS 1.3 ANV-Gyro gateway AWS Frankfurt · EU Anonymize identity Memory layer (vector) Encrypted at rest (KMS) content only content only EU stays EU Anthropic (Claude) US · zero retention tier SCC OpenAI (GPT) US · no training optout SCC Mistral (Ministral) EU · Paris PostgreSQL + Qdrant memory (EU only) /* BYOK path */ If you bring your own API key, the gateway still anonymizes, but the provider bills you directly. Key encrypted at rest (KMS). EDGE MODE: chain stops at your device. Zero egress.
// Subprocessors · Article 28 §2 GDPR

Who else touches your data.

Processor Purpose Location Transfer basis
Amazon Web Services EMEA EU · Frankfurt
Anthropic, PBC US
OpenAI, OpCo LLC US
Mistral AI EU · Paris
Stripe Payments Europe EU · Ireland
Google Identity Global

// GDPR Article 28 · DPA

Data Processing Agreement — signed in 1 working day.

What's in our standard DPA

    How to get it

    // Technical & organisational measures (TOMs)

    How we actually protect your data.

    Encryption

      Access control

        Logging & monitoring

          Backup & recovery

            // Incident response · vulnerability disclosure

            When something goes wrong.

            Incident response (we get hit)

              Vulnerability disclosure (you find one)

              Need something this page doesn't answer?