Vendor docs ready before the questionnaire even arrives.
DPA, SLA, SOC 2 status, sub-processor list, security questionnaire response — all published. We don't make you wait two weeks for paperwork.
What matters to procurement teams
- ✓Published DPA (GDPR Art. 28) at /factory/dpa — sign electronically or use ours
- ✓Published SLA at /factory/sla — 99.9% / 99.95% targets on planned Team / Enterprise tiers (service credits in contract)
- ✓Published compliance posture at /factory/compliance — honest status per framework, no SOC 2 cert today
- ✓Sub-processors documented inline in /factory/dpa (Anthropic, OpenAI, Supabase, AWS, Cloudflare) — a standalone sub-processor page is on the roadmap
- ✓Security questionnaire response: we reply, but no committed turnaround until process is documented (best-effort today)
Objections procurement teams raise — and our answers
We don’t pretend these don’t come up. Here’s how we respond.
Correct. Audit window Q4 2026. We do NOT claim certification we don't hold. Enterprise prospects can request the under-NDA Type I bridge letter. Compliance page lists exactly where we stand on every framework.
Supabase Postgres in AWS us-east-1 by default. EU-only data residency and a self-host-in-your-VPC option are both roadmap, not shipping today. Sub-processors documented in DPA.
Standard 30-day notice. Data export in CSV / JSONL on request. Artifacts retained 30-365 days based on tier. DPA spells out deletion timelines after termination. No "calling for retention" surprises.