Trust at clusterbid.
Security, compliance, and operational posture for a frontier-inference platform serving regulated buyers. Every claim on this page is backed by an artefact you can read, a contract you can sign, or a public dashboard you can monitor.
For procurement, audit, or security review: security@clusterbid.eu · responds within one business day.
Region-resident by design. Audited by default. Public by policy.
In-region by default.
Inference traffic stays in the region the customer pins. Region routing is enforced in the gateway, not in policy. No best-effort cross-region failover. Per-request region attestation in response headers.
SOC 2 Type I in audit.
Type I report this quarter, Type II twelve months later. DPA, BAA, India DPDPA addendum, and sovereign annex on our paper — redline-ready for legal review. Sub-processor list published and pinned.
Public-by-default ops.
Per-region status page. Incident write-ups within five business days, published — not "communicated to affected customers." Responsible-disclosure program with safe-harbour terms.
None in the last 90 days · write-ups published at /legal
On our paper. Available before the first call.
- Data Processing Addendum (DPA) — published, standard contractual clauses, indemnity caps aligned with regulated-enterprise procurement standards.
- Sovereign region annex — names the pinned region, no-egress clause, explicit audit rights. Pairs with the DPA.
- Business Associate Agreement (BAA) — available for US-HIPAA workloads on request.
- India DPDPA addendum — for tenants pinned to ap-mum-1, aligned with Digital Personal Data Protection Act 2023.
Responsible disclosure.
Researchers who identify a vulnerability and follow our disclosure policy get safe-harbour, a public acknowledgement (with consent), and a meaningful response inside five business days. Bounty program in scoping.