Sovereignty and compliance are not optional at Scope.
Published technical stack, subprocessors in the open, DocuSeal-signable DPA, downloadable EU AI Act assessment and security roadmap. What is certified is named; what is not remains presented as a target.
Last updated: 11 June 2026 · Version 2026.06.11-v5
Sensitive topics
Three questions every tier-1 PM asks
The three pages every procurement lead, DPO or AI architect at AXA, BNP or Société Générale opens first. Substantiated answers, public sources, firm disclaimers.
Railway in the EU West region (application + DocuSeal), Supabase in eu-west-1 (Dublin). US providers remain marked as legally exposed even when their technical region is EU.
Railway in the EU West region (application + DocuSeal), Supabase in eu-west-1 (Dublin). US providers remain marked as legally exposed even when their technical region is EU.
Self-hosted DocuSeal in the EU, eIDAS-compliant — European legal validity without depending on US-hosted DocuSign / Adobe Sign.
Why these four legs?
It's not the word "sovereign" that is defensible — it's the published, verifiable stack and honest limits. EU regions are distinguished from providers' legal jurisdiction.
02
Sub-processors
Exhaustive, always-current list of sub-processors, in application of GDPR Article 28.2. Any change is notified 30 days before it takes effect.
eIDAS-compliant e-signature for scoping notes, proposals and DPAs — DocuSeal instance self-hosted by the publisher on Railway (EU West region), no signed data is shared with a third party.
Railway, EU West region (European Union)Jurisdiction EU
S3-compatible object storage (EU bucket) holding the weekly Postgres database backups (compressed and encrypted SQL dump). No application content is read live from this bucket — access is restricted to disaster-recovery dumps.
European Union (R2 jurisdiction = EU, bucket pinned to EU)Jurisdiction US
Uptime monitoring of getscope.dev public routes and heartbeats from scheduled jobs (crons). No personal data transits Better Stack: only public HTTP probes and job-completion pings.
S3-compatible object storage with 7-year Object Lock COMPLIANCE for the immutable archive of the `audit_logs` journal (legal retention L123-22, 10 years). The monthly cron `archive_audit_logs_older_than_13_months()` moves rows past the HOT window to Scaleway Object Storage Paris (`fr-par`, bucket `scope-audit-cold-prod`). In COMPLIANCE mode, deletion or overwrite of the archive is IMPOSSIBLE even with root credentials — no provider-side bypass.
Paris (DC5 datacenter, `fr-par` region)Jurisdiction EU
Railway Corp. is US-domiciled. Scope deploys the application service in the EU West region and does not persist durable customer content on Railway; durable data (briefs, scoping documents, exports, audit logs) resides in Supabase EU. Railway's DPA incorporates applicable transfer mechanisms, including SCCs.
Supabase
Supabase, Inc. is US-domiciled, but the Scope project is provisioned in the eu-west-1 (Dublin) region. Transfers outside the EU are governed by Supabase's DPA and SCCs; access is limited through RLS, separated keys and data minimization.
OpenRouter
OpenRouter is a stateless proxy: no prompt or output is retained on the OpenRouter side beyond processing time. The contract enforces data_collection=deny downstream. Inferences are currently served by OpenAI and Anthropic (United States); an EU-resident routing option (Bedrock eu-west-3, Mistral Large in Paris) is under validation for an Enterprise option.
Resend
Resend is operated by a US company. Scope uses the eu-west-1 sending region for transactional emails and limits transmitted content to what is necessary for deliverability. Resend's DPA incorporates SCCs.
GlitchTip
Burke Software & Consulting LLC is US-domiciled, but the GlitchTip instance used by Scope is hosted on DigitalOcean Frankfurt with a contractual EU data residency and no-transfer clause. Payloads are scrubbed SDK-side (PII, tokens, secrets) before transmission. Default retention: 30 days.
Cloudflare R2 (EU)
Cloudflare, Inc. is US-domiciled, but the R2 bucket used by Scope is provisioned with EU jurisdiction (R2 jurisdictional restrictions option). Stored content is limited to compressed/encrypted Postgres dumps reserved for disaster-recovery; no application data is read live from this bucket. The Cloudflare DPA incorporates the SCCs. Retention is capped at 90 days by the bucket lifecycle policy.
Cloudflare
Cloudflare only processes DNS and email routing metadata. No client application data (briefs, scoping documents, exports) is exposed. The Cloudflare DPA incorporates the EU Standard Contractual Clauses.
03
Data & Retention
Durable application data resides in the European Union. Retention by data type, erasure rights, contractual no-training on AI inputs and framed transfers when a provider is US-domiciled.
Data residency: durable data in the EU
Postgres and Storage in eu-west-1 (Dublin). Railway application container in the EU West region. Self-hosted DocuSeal on Railway (EU West region). Some providers are US-domiciled: possible transfers are framed by DPA, SCCs and minimization.
LLM routing currently goes through OpenAI (GPT-4o / GPT-4o mini) and Anthropic (Claude Sonnet 4.6 / Haiku 4.5), operated from the United States, with data_collection=deny and EU SCCs as mitigation. An Enterprise EU-resident routing option (Bedrock eu-west-3, Mistral Large in Paris) is under internal validation and will be offered as soon as FR quality benchmarks are conclusive.
Data type
Retention
Legal basis
Briefs and inputs (text, audio, files)
Subscription duration + 30 days
GDPR Article 5.1.e — minimization
Scoping documents (AI deliverables)
Subscription duration + 30 days, exportable for 30 days after termination
Security and evidentiary obligation (GDPR Article 32)
Generated exports (Word/PDF/Markdown)
Deleted as soon as the export is delivered (link expires after 7 days)
Minimization
Accounting records (invoices, transactions)
10 years
Article L.123-22 of the French Commercial Code
Security logs (GlitchTip, self-hosted EU)
30 days, PII scrubbing enabled in the SDK
Security — GDPR Article 32
Contractual no-training
Contracts with OpenRouter and all LLM providers actually in use (OpenAI, Anthropic) include data_collection=deny at the provider level. Your prompts and the generated responses are never used to train or fine-tune the models.
Automated right to erasure
Users can delete a brief, a scoping document or their entire account in self-service. Effective purge runs within 30 days, except for accounting obligations (10 years for invoiced records).
04
Compliance — status and roadmap
Public status of each framework. No false promises: what's in progress is announced as in progress, what's planned is dated.
Framework
Status
Date / target
Detail
GDPR / Self-service DPA
Available
11 June 2026
DPA signable in self-service via DocuSeal. Sub-processors published. GDPR rights automated in-product.
SOC 2 Type 1
In progress
Target to confirm
Controls roadmap documented. No SOC 2 report or "in progress" badge is claimed before formal engagement with an independent auditor.
SOC 2 Type 2
Planned
Target 2027-Q1
Operating-effectiveness audit over 3 to 12 months. Kicks off immediately after the Type 1 attestation.
ISO 27001
Planned
Target 2027
Maturity target, not certified today. Current controls are documented in the README and on this page.
HDS / HIPAA
Out of scope
n/a
Scope is not designed to process health data. To be reconsidered if a healthcare pivot is confirmed.
05
EU AI Act assessment
Categorization of each AI feature under Regulation (EU) 2024/1689 and the associated mitigations.
Selected category: limited risk (Article 50 of the EU AI Act). Scope produces AI-assisted text content for internal organisational use and applies the corresponding transparency obligations. No feature falls under unacceptable-risk (Article 5) or the high-risk use cases listed in Annex III.
Justification
No biometric scoring or person identification — Scope performs no facial recognition, no emotional assessment, no person categorization (Article 5 EU AI Act).
No automated decisions affecting individuals' rights within the meaning of GDPR Article 22. All deliverables are systematically reviewable and reviewed by a human before export or signature.
No use in critical infrastructure (Annex III §2), employment (§4), education (§3), justice (§6) or law enforcement (§8).
Mitigations
Article 50 transparency — users are informed in-product that the content is AI-generated or AI-assisted.
Mandatory human-in-the-loop — export and signature require explicit human validation.
Contractual no-training — data_collection=deny clause enforceable against every LLM provider.
Source citations when extraction is grounded in a user-provided document — paragraph-by-paragraph traceability.
Scope is positioned as a non-critical ICT third-party provider under DORA (EU) 2022/2554. The artefacts required for your Register of Information (RoI) are available.
For financial-entity Clients subject to DORA, Scope provides the full set of supplier-side artefacts: internal AI model usage registry, documented RTO/RPO targets, exit plan with data portability, and mapped data-flow architecture. A CSV mapping to the ESA DORA RoI template is available on request.
Art. 28(3) + Implementing Regulation 2024/2956
RTO 4 h + RPO 24 h during FR business hours, justified by the stack (Railway EU West + Supabase PITR + DocuSeal snapshots). Non-contractual targets, contractualisable Enterprise.
Documented Exit Plan: 30-day notice, full GDPR export (JSON + Markdown + assets), cascade hard-delete, compliant with DORA art. 28(8) + GDPR art. 17/20.
ai_model_usage registry — internal, updated on every prompt or model change. Anticipates AI Act Annex II obligations and DORA RoI requirements.
Business Continuity Plan: BCP runbook in formalisation, redundancy assumed via the EU cloud providers and their own continuity commitments.
No client application data leaves the European Union. Each sub-processor is documented with its residency zone and role in the pipeline.
EU residency principle
All durable application data (briefs, audio transcripts, scoping documents, exports, audit logs) resides in EU regions on Supabase Dublin. US-domiciled sub-processors in the durable persistence path are configured to process in EU regions (Railway EU West, Resend Ireland, GlitchTip Frankfurt).
For LLM inferences, OpenRouter is a stateless proxy (United States) that today routes requests to OpenAI (GPT-4o / GPT-4o mini, United States) and Anthropic (Claude Sonnet 4.6 / Haiku 4.5, United States) under EU Standard Contractual Clauses and the contractual `data_collection=deny` directive. **Resilience chain (PH10)**: when OpenRouter is unavailable, the pipeline switches directly to Mistral AI (Paris, EU) for the duration of the outage — switchover is audited (`pipeline.llm_provider_failover`) and the no-training contractual obligation is preserved. A permanent EU-resident Enterprise routing option (Bedrock Paris or Mistral Large Paris) is under internal validation and will be offered on request as soon as FR quality benchmarks are conclusive.
Procurement-portable markdown version of the 11 sub-processors, Cloud Act mitigations and 4 sovereignty legs. Contractual annex. Draft to be reviewed by IT counsel before signature.
Mermaid diagram + typed arrows (customer data vs metadata) + EU residency annotated + 11 categories of processed data with retention. Draft to be reviewed by counsel.
GDPR Article 28 DPA in markdown with [CLIENT_NAME], [CLIENT_SIRET], [DATE_SIGNATURE] placeholders. Contractual annex. Draft to be reviewed by IT/GDPR counsel before signature.
Service objective explicitly non-contractual: 99.5% during FR business hours, support 1 business day, upstream exclusions documented. Contractual 99.9% SLA roadmap conditioned on Enterprise contract.
ISO 27035 + GDPR art. 33-34. Auto detection + S1/S2/S3 triage + CNIL escalation within 72h and affected individuals without undue delay. Post-mortem template. Draft to be reviewed.
RTO 4h during FR business hours + RPO 24h max via Supabase PITR 7-day window. Current stack explained. Secondary site = EU cloud providers redundancy. Non-contractual objectives, contractualisable Enterprise.
28 questions, CSA STAR L1 + AWS SaaS Questionnaire subset. 13 categories: data residency, encryption, auth, audit, incident, GDPR, subprocessors, retention, backups/DR, AI Act, compliance. Long form on request.
Editable markdown template, 15 articles + 9 annexes. Placeholders [CLIENT_NAME], [MONTANT_FORFAITAIRE]. 3 months renewable once. To be adapted per case and reviewed by IT counsel before signature.