Trust Centre
Capila Trip is built for finance teams that have to defend every line in an audit. This page summarises how we handle your data, who processes it, and the legal basis for each transfer. For full legal terms see Terms of use, Privacy policy and Cookies.
Data residency
- Supabase eu-central-1 (Frankfurt) for database and storage.
- Cloudflare Workers with EU placement for the application runtime.
- Sentry EU-hosted project for error monitoring with PII scrubbing.
- Resend EU region for transactional email.
Compliance documents
- Paperless SK self-attestation (§ 31 – § 35 ZoÚ), signed by CTO + CEO and versioned.
- DPA template aligned with 2021 EU SCCs, customer-negotiable with a 5-working-day legal review SLA.
- RoPA template with customer-specific excerpt generator.
- Transfer Impact Assessment for the Anthropic EU endpoint.
- Retention policy covering SK 10y / UK 6y / US 7y and payroll/personnel special rules.
- Email legal@capila.io to receive the signed PDFs of any of the above.
Sub-processors
- We publish the authoritative list and notify customers 30 days before adding or replacing a sub-processor. Customers can object during the notice period.
| Processor | Role | Location |
|---|---|---|
| Supabase | Database, storage, authentication, edge functions | eu-central-1 (Frankfurt) |
| Cloudflare | Application runtime, CDN, WAF | EU placement |
| Anthropic | Claude Haiku 4.5 — OCR primary + AI audit | Anthropic EU endpoint (DPF-certified) |
| Mindee (optional) | OCR fallback (≥ €500 or low confidence) | Paris, FR |
| Resend | Transactional email | EU region |
| Sentry | Error monitoring | EU-hosted project |
| Plausible | Marketing-site analytics | EU (no cookies) |
Security
- Row Level Security on every Postgres table; tenant isolation on every row.
- TOTP or passkey required for admin accounts; optional for regular users.
- Quarterly secret rotation with catalogued keys and runbook.
- Annual external pentest against OWASP Top 10; critical / high findings block launch and releases.
- Daily backups, 30-day retention, monthly restore-to-staging drill.
Need a DPA or custom review?
Email legal@capila.io. We respond within two working days and turn around most red-lined DPAs in five.