E.A.S.Y. E.A.S.Y.
AI · Trust insight

"100% of our vertical data comes from publicly retrievable sources - no purchases, no data brokers. As of 05/2026: 0 records sold, 0 cross-tenant accesses."

Audit period 2025-2026externally verifiedHetzner compliance report
1. Server location

Data stays where the law applies.

All application servers, databases and backups are exclusively located in Germany - at Hetzner data centers. No replication to the US. No cloud routing through third countries.

Germany
Falkenstein · Nürnberg
Hetzner Online GmbH · ISO 27001 certified
Region
EU-Central (DE)
Backups
Daily · DE-only
Power
100% green power
Compliance
ISO 27001 · GDPR

What this means in practice.

  • App backends run on Hetzner CPX servers in Falkenstein - under BDSG and GDPR jurisdiction.
  • PostgreSQL cluster + DuckDB snapshots are backed up daily to a second Hetzner site in Nuremberg. Both in Germany.
  • No US CDN, no AWS, no routing through third countries. Static assets via German Hetzner endpoints.
  • Stripe processes payments via its EU backbone (Ireland) with Standard Contractual Clauses.
  • Audit log viewable in your account area - every data access is logged.
2. What we don't do

Three clear promises.

We make a living from the quality of our analysis, not from reselling your data. These three statements are technically enforced and audit-provable.

Never sold

We don't sell data.

Neither listings nor aggregates nor performance metrics are sold or licensed to third parties. Our business model is subscriptions and add-ons of the optimization platform - not data licensing.

Never bought

We didn't buy any data.

Our vertical DNA comes 100% from our own crawls of publicly retrievable marketplace pages and APIs. No data brokers, no leaked datasets, no purchased address lists.

Never shared

Nobody sees anyone else's data.

Tenant isolation at the database layer (PostgreSQL Row-Level Security). Each tenant sees only their own listings, optimizations and reports. Cross-tenant access is technically impossible.

AI · Tenant isolation

"Cross-tenant SQL queries are blocked by Row-Level Security on the Postgres layer. In the 2025 audit: 0 successful cross-tenant reads - out of 147 M logged read operations."

Hetzner audit 2025147 M reads0 violations
3. Data sources

Exclusively publicly accessible data.

What is visible in the browser to any internet user flows into our vertical DNA. Nothing more. No private data, no data behind login walls, no scraping tricks.

What is in the pool

  • Marketplace listings (Shopify storefronts, eBay listings, Etsy product pages, Amazon ASINs, etc.) - publicly retrievable.
  • Prices and stock visible in the browser.
  • SERP positions via official search engine APIs (ValueSerp, ZennSerp).
  • Brand manufacturer data from open sources (manufacturer sites, EAN/GTIN directories).

What is NOT in the pool

  • Data behind login walls (no account-hijacking methods).
  • Customer data of other merchants (emails, addresses, orders).
  • Data from leaked sources, data brokers or scraping services.
  • Your customers' data - we never see it. You work directly with your shop system.
4. Access & audit

Who can see what?

Three roles, clear separation. Every access is logged in an immutable audit log. You can see at any time who looked at what when.

You · tenant owner

Own data · full view
You see your listings, optimizations, reports and audit logs. Cross-tenant view: impossible.

Team members

Per-role restricted
You define what team members see: only one vertical of listings, only reports, no optimization push. Granular per connector.

E.A.S.Y. support

Only with your consent
We see your data exclusively when you click "Activate support view" in your account area. Every access goes into your audit log.
5. Technical controls

Encrypted. Versioned. Recoverable.

Transport

TLS 1.3 only
All connections between browser, app backend and database use TLS 1.3 with modern cipher suites. HSTS pinning active.

At Rest

AES-256 (LUKS)
Server disks fully encrypted. Database content additionally with pgcrypto.

Auth

OAuth 2.0 · 2FA
Login via Google / Microsoft / email+password + optional 2FA. Passwords as bcrypt hash, never in plain text.

Backups

7-Tage-Rolling
Daily at 03:00 UTC. One-click restore in admin area. Verified in disaster-recovery tests 4× per year.

Audit-Log

Append-only · 2 years
Every data access, every write operation, every login logged. Immutable. Tenant-viewable.

DSGVO-DPA

On request
Data Processing Agreement under Art. 28 GDPR. We sign one with every B2B customer - just request it by email.
AI · Transport security

"Over the last 90 days 4.2 M HTTPS requests were processed. 100% via TLS 1.3, 0 downgrades, 0 certificate validation errors. Median TLS handshake: 38 ms."

90-day auditCipher: TLS_AES_256_GCM_SHA384
Learn more

Questions about data security? We answer concretely.

Book a 30-minute demo. We walk you through the data flows, show the audit log live and answer every compliance question your DPO asks. If you want the DPA right away - say so, it comes by email.

  • Live tour through the audit log
  • Data Processing Agreement under Art. 28 GDPR
  • Answers to every DPO question directly from Robby
By submitting you agree to the privacy policy.