EU-only email delivery, encryption everywhere, transparent sub-processors, and GDPR compliance by design. Everything your procurement team needs in one place.
All email delivery is processed in AWS SES eu-west-1 (Ireland). Email content never leaves the European Economic Area for delivery purposes.
Application database hosted in Supabase eu-central-1 (Frankfurt). Delivery metadata, account data, and event logs stay in the EU.
SES Ireland primary, Brevo France failover. Both providers operate within the EU. Circuit breakers route around unhealthy providers automatically.
Hosted on Vercel with EU edge compute. API requests are processed at the nearest edge location; SCCs govern any non-EU processing.
All API traffic is encrypted with TLS. SMTP delivery uses opportunistic TLS with STARTTLS.
All stored data — delivery metadata, account data, event logs — is encrypted at rest with AES-256.
API keys are hashed with SHA-256 before storage. Plain-text keys are shown once at creation and never stored.
All webhook payloads are signed with HMAC-SHA256. Verification is documented in the manual.
| Data type | Retention | Notes |
|---|---|---|
| Email content | 7 days | Processed in transit; stored only for delivery retry window |
| Delivery metadata | 90 days | Bounce codes, delivery timestamps, complaint flags |
| Engagement data | 90 days | Open and click events (if tracking enabled) |
| Account data | Active + 30 days | Deleted within 30 days of account termination |
| Billing records | 7 years | Required by Dutch law |
| Provider | Purpose | Location | Transfer basis |
|---|---|---|---|
| AWS SES | Email delivery | EU (eu-west-1, Ireland) | No international transfer |
| Supabase | Database | EU (eu-central-1, Frankfurt) | No international transfer |
| Clerk | Authentication | United States | SCCs |
| Stripe | Payments | United States | SCCs |
| Vercel | Application hosting | US / EU edge | SCCs |
Changes to this list are communicated in advance per DPA Section 9. Enterprise customers requiring a countersigned DPA can request one at legal@truncus.co.
Van Moose BV is registered in Amsterdam, Netherlands (KvK: 97411698). We process data under GDPR Article 28 as a data processor.
In the event of a data breach affecting customer data, we notify within 72 hours per GDPR Article 33.
We assist with access, rectification, erasure, restriction, portability, and objection requests within 72 hours.
Real-time delivery metrics, provider health, and platform status available at truncus.co/status with a JSON API.
Contact us at security@truncus.co or legal@truncus.co for procurement inquiries.
Start free