Trust center
Encryption
TLS 1.2 or higher for everything in transit, including the WebSocket that streams answers to your browser. AES-256 for stored data, including conversation transcripts, uploaded documents and backups. Keys are managed by the underlying EU cloud provider and rotated according to their published schedule.
Access control
Internal access follows least-privilege and need-to-know principles. Engineers do not access customer data in the course of normal operations; access for support purposes is opt-in by you per ticket and is logged. On the customer side, organisation administrators control who can use Localign, who can manage assistants, and which providers are reachable in Mode B. Multi-factor login is supported for end users.
Auditability
Every conversation has a stable trace identifier and is reproducible from the organisation admin panel. Admin actions — invitations, role changes, license re-assignment, billing changes — generate audit-log entries. Subprocessor changes are published on the Sub-processors page and notified to the contact in your DPA.
Vulnerability management
Internal vulnerability scans run on every release; container images are scanned on push. An external penetration test is performed annually, scoped to the customer-facing trust boundary. Findings are tracked to closure under our incident-management policy. Renovate keeps dependencies current and a documented exception process governs anything that cannot be auto-upgraded.
Incident response
We follow a documented incident-response procedure with named roles, escalation paths and rehearsed drills. Customer-affecting incidents are notified within the windows set by GDPR article 33 (personal data) and DORA (where applicable to financial-services customers). The Service status page describes what we publish during an incident; the Updates page lists structural changes that came out of past incidents.