Trust

Boring promises, kept on schedule.

Security and compliance posture for eri labs. We try to over-share here so your security review is short.

Posture

• SOC 2 Type II

  in progress

  We're mid-audit with Vanta. Target attestation window closes Q3 2026. We can share the latest auditor letter under NDA today.

• GDPR

  live

  Account data lives in Supabase's Frankfurt region. Export and deletion endpoints are live in the dashboard. Standard Contractual Clauses cover transfers out of the EEA.

• CCPA

  live

  California residents can exercise the right to know, delete, and opt out of any sale of personal information. We don't sell personal information — there's nothing to opt out of, but the channel is open.

• Data residency

  available

  Enterprise accounts can pin account data to EU, US-East, or US-West regions. Model calls follow the provider you configure — that's a separate setting.

• ISO 27001

  in progress

  On the roadmap once SOC 2 lands. We'll share a target date publicly when the gap analysis finishes.

• Penetration testing

  live

  Annual third-party pentest. Latest report available under NDA. Remediation timelines tracked publicly in the security changelog.

Where data lives

The eri desktop app keeps your project files, voice frames, gaze data, and shell history on the machine they originated on. The eri-cloud control plane runs in Supabase's Frankfurt region by default. Enterprise customers can pin to US-East or US-West with one config change.

Model calls follow whatever provider you've configured. The eri Engine runs in US-East with EU mirroring on the roadmap. BYOK providers are between you and them.