Security & Compliance

Built for your GDPR review.

No marketing fluff — named sub-processors, explicit regions, documented processes. This page is written for CIOs and data protection officers.


1. GDPR compliance

Rentarion meets Art. 13/14 (notice), Art. 15 (access), Art. 17 (erasure) and Art. 20 (portability) of the GDPR. Every tenant can export its data as JSON or request full deletion.

2. Sub-processors

All providers are located within the EU. DPAs per Art. 28 GDPR are in place or in progress.

Service
Purpose
Region
DPA
Supabase
PostgreSQL database + file storage
Frankfurt (eu-central-1)
In place
Azure Document Intelligence
OCR (text extraction)
West Europe
In place
Azure OpenAI
Structured field extraction
Sweden Central (EU Data Boundary)
In place
Vercel
Hosting & edge network
EU
In place
Resend
Transactional email
EU
In review
Upstash Redis
Rate limiting (optional)
EU
In review
Hetzner Object Storage
Encrypted off-site backups (database + files)
Nuremberg (Germany)
In review

Azure OpenAI: no training on customer data — contractually ensured via EU Data Boundary.

3. Data minimisation & encryption

Encryption at rest and in transit throughout. Password hashing with bcrypt (12 rounds). No tracking tools without consent. Session cookies httpOnly, SameSite=Lax.

4. Multi-tenant isolation

Strict tenant separation at the application level: every database query is tenant-bound. In addition, PostgreSQL Row Level Security acts as a default-deny safeguard at the database level. Regular tenant-isolation audits — most recently without a single exploitable finding.

5. Audit log & four-eyes

Every field change, every approval step, every upload, every export — with user ID, timestamp, before/after. Critical fields require two-person approval.

6. Anti-hallucination

The AI provides citations, but we do not trust blindly: every citation is checked via exact substring match (after whitespace and case normalisation) against the OCR text. No fuzzy matching. Failed verification → citation discarded.

7. Legal Alert Engine

9 legal categories from BGB/BetrKV/HkVO. Deterministic rules, no LLM legal advice. Details and statutes on the Features page under #legal-engine.

8. Role permissions

Five roles with fine-grained rights: admin (full tenant control), portfolio manager (day-to-day operations), approver (four-eyes approvals), viewer (read-only) — plus platform administration. Individual permission flags per user, role changes are audit-tracked.

9. Password security & auth

Self-service password reset with 1-hour token. Anti-enumeration (same response regardless of whether the email exists). New passwords are checked against known data breaches (k-anonymity — the password never leaves the browser). Invite-only onboarding — no public registration.

10. Backups & recovery

Daily encrypted off-site backups of database and files at Hetzner in Nuremberg — deliberately with a different provider than the primary storage (3-2-1 principle). Restorability is verified automatically every week.

Questions from your IT or DPO?

We provide DPA templates, TOMs and an architecture overview on request.