Trust center

Trust at clusterbid.

Security, compliance, and operational posture for a frontier-inference platform serving regulated buyers. Every claim on this page is backed by an artefact you can read, a contract you can sign, or a public dashboard you can monitor.

For procurement, audit, or security review: security@clusterbid.eu · responds within one business day.

01 · Posture at a glance
SOC 2 Type I
Q3
audit period open
Regions live
3
US · EU · India
Public sub-processors
9
listed at /legal/subprocessors
Status uptime (90d)
99.97%
status.clusterbid.eu

02 · How we think about trust

Region-resident by design. Audited by default. Public by policy.

Security

In-region by default.

Inference traffic stays in the region the customer pins. Region routing is enforced in the gateway, not in policy. No best-effort cross-region failover. Per-request region attestation in response headers.

Compliance

SOC 2 Type I in audit.

Type I report this quarter, Type II twelve months later. DPA, BAA, India DPDPA addendum, and sovereign annex on our paper — redline-ready for legal review. Sub-processor list published and pinned.

Operations

Public-by-default ops.

Per-region status page. Incident write-ups within five business days, published — not "communicated to affected customers." Responsible-disclosure program with safe-harbour terms.


03 · Live posture
Status
All regions operational
Last incident

None in the last 90 days · write-ups published at /legal

Status page →Sub-processor list

04 · Documents you can sign

On our paper. Available before the first call.

  • Data Processing Addendum (DPA) — published, standard contractual clauses, indemnity caps aligned with regulated-enterprise procurement standards.
  • Sovereign region annex — names the pinned region, no-egress clause, explicit audit rights. Pairs with the DPA.
  • Business Associate Agreement (BAA) — available for US-HIPAA workloads on request.
  • India DPDPA addendum — for tenants pinned to ap-mum-1, aligned with Digital Personal Data Protection Act 2023.
Read the DPARequest security review
disclosure

Responsible disclosure.

Researchers who identify a vulnerability and follow our disclosure policy get safe-harbour, a public acknowledgement (with consent), and a meaningful response inside five business days. Bounty program in scoping.