Skip to content
Pactaly
Join Waitlist

Security & data protection.

Four principles that shaped Pactaly from day one: EU-only residency, encryption-at-rest, GDPR as architecture, and metadata-only mode.

Security & GDPR

Your contracts don’t leave the EU. Ever.

We built Pactaly from day one on EU-only infrastructure. Not "EU option available" — EU only. Because every other choice forces GDPR compromises we’re not willing to make.

EU-only data residency

Hetzner Frankfurt for servers, Cloudflare R2 EU for files, Upstash EU for queues. Zero US cloud providers in the critical path. Every byte of your data stays within the European Economic Area — verifiable via our Data Processing Addendum.

Encrypted at rest

AES-256 encryption for all uploaded files. Per-tenant encryption keys rotated every 90 days. Access logs retained for 90 days and exportable on request.

GDPR by design

DPA ready at signup, naming every sub-processor. Data export in one click (JSON or CSV). Right-to-be-forgotten executed within 48 hours across all storage layers — including backups.

Metadata-only mode

After extraction, you can delete the source PDF. Pactaly keeps only the fields (dates, counterparties, amounts). Your contract text never touches our servers long-term. Unique in the EU market.

Read our full security overview

Sub-processors

We use a minimal, auditable set of EU-based sub-processors:

  • Hetzner Online GmbH (Germany) — application servers, Frankfurt region.
  • Cloudflare, Inc. (EU subsidiary) — CDN, DNS, R2 object storage in EU.
  • Upstash, Inc. (EU region) — managed Redis for queues and cache.
  • Resend (EU region) — transactional email for reminders and notifications.
  • Stripe Payments Europe, Ltd. (Ireland) — subscription billing.
  • Mistral AI (Scaleway EU) — LLM for contract field extraction. Input data is not used for model training.
  • Sentry (EU region) — error monitoring. No customer data is sent.

The full, versioned list lives in our DPA. Changes are notified 30 days in advance by email.

What we don’t use

  • No US-hosted storage in the critical data path.
  • No OpenAI direct integration (only EU-hosted LLMs).
  • No Google Analytics, Facebook Pixel, LinkedIn Insight Tag.
  • No cookies on the marketing site, except strictly necessary session cookies inside the app.

Incident response

If we detect a security incident affecting your data, you will be notified within 72 hours as required by GDPR Article 33, with details about the scope, impact, and remediation.

Responsible disclosure

Found a vulnerability? Email [email protected]. We respond within 48 business hours and credit reporters in our security page (with permission).

Early access

Stop chasing renewal dates. Start sleeping better.

Join the Pactaly waitlist for early access + 50% off the monthly price forever. We’ll email you once a month with updates.

No payment required. Unsubscribe any time.

We store your email only to keep you updated about Pactaly. Never sold, never spammed. Data stored in the EU. Delete any time by replying to a welcome email.