European hosting
Vercel · Frankfurt (eu-central) and Paris (eu-west) regions. No application data leaves the EU. CDN edge with TLS 1.3 termination.
Trust Center
Security as a foundation.
Not as an add-on.
Valtieri builds SaaS platforms that touch the sensitive functions of its clients: compliance, security posture, AI governance. Our security commitments are not a marketing page — they are the condition of the relationship.
EUSovereign hosting
0Third-party trackers
Q4 26ISO 27001 target
Infrastructure
Sovereignty & hosting
No mystery about where your data lives. No silent third-party telemetry sending to US tools. Everything runs on infrastructure operated within the European Union.
No third-party trackers
No Google Analytics, Meta Pixel or Hotjar. Anonymous audience measurement via first-party Vercel Analytics. Zero marketing cookies.
Isolated client data
SaaS products built with strict multi-tenancy: logical isolation by tenant_id on every query, per-organization encryption keys for Presidio.
End-to-end encryption
TLS 1.3 in transit, AES-256 at rest (Vercel KV, managed Postgres EU), encrypted backups. Secrets in environment variables, never in code.
Architecture
Security by design, not by patch
Authentication & access
TOTP MFA mandatory on all administrative accounts. SSO via Keycloak/Azure AD for enterprise deployments. Granular RBAC with principle of least privilege.
Immutable audit trail
Every sensitive action is logged: author, timestamp, resource, before/after state. Append-only logs, 3-year retention, exportable as JSON or signed PDF.
Supply chain security
SBOM generated on every release, automated dependency scanning (Renovate + Snyk), GPG-signed commits on main, version-locked lockfiles.
Penetration testing
Annual penetration test by PASSI-certified firm planned ahead of any Presidio public release. Private bug bounty program in startup phase.
Compliance
Public regulatory trajectory
We publish our actual status — including what is not yet certified. Transparency on the trajectory beats a misleading logo.
GDPRCompliant · by design
Data minimization, documented lawful basis for each processing activity, reachable DPO, current Record of Processing Activities. Public privacy policy.
NIS2 & DORAFramework applied internally
Risk management measures (NIS2 Art. 21), incident notification, critical-supplier TPRM registry, documented business continuity plan.
ISO/IEC 27001:2022Certification path · target Q4 2026
SoA being drafted, gap analysis complete on all 93 Annex A controls, ISMS operational. Certification audit targeted late 2026.
SOC 2 Type IIEvaluation · scoping 2027
Currently evaluating Trust Services Criteria scope (Security, Availability, Confidentiality). Audit budgeting planned Q1 2027.
EU AI ActDeployer framework applied
AI systems mapping, risk-tier classification (Art. 6-7), documented governance. Preparation of deployer obligations entering force August 2026.
Healthcare Data Hosting (HDS)Not applicable
Valtieri does not process healthcare data. This entry is published for transparency on the scope of our commitments.
Responsible disclosure
Responsible vulnerability disclosure.
The cabinet welcomes vulnerability reports from good-faith security research. No lawsuits, no DMCA. Direct communication channel with a founding partner and response time within 72 business hours.
Secure channel
security@valtieri.frPGP key on request. Include a reproducible PoC, estimated impact and your handle for an optional public mention.
What we commit to
- Acknowledgement within 72 business hours
- Diagnosis and remediation timeline within 14 days
- Public Hall of Fame for contributors (unless opted out)
- No legal action for research conducted under this framework
Data governance
Operational GDPR, not declarative
Data controller
Valtieri SAS · 1 rue de Stockholm · 75008 Paris
DPO contact: contact@valtieri.fr
Record of Processing Activities maintained. DPIA performed for high-risk processing (notably compliance scoring).
Your rights
Access, rectification, erasure, objection, portability, restriction. Response within one month, free of charge, on request to contact@valtieri.fr.
Complaint possible with the French CNIL (cnil.fr).
Sub-processors
Public list of active sub-processors: Vercel (hosting, EU SCCs), SendGrid (transactional email, EU SCCs), Anthropic (AI, EU instance).
DPA available for each relationship on request.
Question about our posture?
Vendor security questionnaires, cyber due diligence, supplier audits — we take the time to answer in detail.