Trust Center
Last updated: May 2, 2026
Compliance posture, sub-processors, data residency, and evidence library for procurement reviews. PortalPilot by NordScope — built and hosted in the EU.
Compliance posture
- GDPR Article 28 — in force via our Data Processing Agreement.
- EU Cloud Code of Conduct (Self-Attestation) — self-attested
- ISO 27001 (Annex A self-attestation) — in force; statement of applicability published.
Standards & frameworks
We maintain self-attestation against publicly published frameworks. Validation by independent third parties is on the Phase 2 roadmap below.
- EU Cloud Code of Conduct (Phase 1 self-attestation; Level 1 declaration deferred to Phase 2).
- ISO 27001:2022 Annex A controls (93 controls authored, self-attestation; SOC 2 Type II readiness review on roadmap).
- GDPR Articles 28, 32, 33 — in force.
Data residency
All customer data processed and stored in Hetzner Finland (eu-helsinki1). AI inference runs on Mistral AI in Paris. No US data storage. No US sub-processors. See /sub-processors for the full list.
Data flows & PII
PortalPilot accesses your HubSpot portal read-only via OAuth 2.0 (write scopes used only for customer-approved cleanup actions). We sample contact, company, deal, and ticket records to compute diagnostic scores; results are stored in our self-hosted Supabase database. We retain analysis results for 12 months from last analysis and delete on request within 30 days.
Personal data is encrypted at rest (AES-256-GCM) and in transit (TLS 1.2+). Breach notification within 72 hours of becoming aware per GDPR Article 33. Supervisory authority: Office of the Data Protection Ombudsman, Finland.
Sub-processors
We engage sub-processors for hosting, AI inference, and operational tooling. All are bound by data processing agreements equivalent to ours. Changes notified at least 30 days in advance. View canonical list →
Independent testing
- External penetration test — In progress — Q3 2026 target.
- Cyber Essentials Plus certification — In progress — Q3 2026 target.
Evidence library
- Data Processing Agreement (in force)
- Privacy Policy (in force)
- Terms of Service (in force)
- Sub-processors list (in force)
- Security details (in force)
- EU Cloud CoC self-attestation (in force)
- ISO 27001 Annex A statement of applicability (in force)
- CAIQ v4.0.3 pre-fill: PDF · CSV · CSA licenceLast reviewed: 2026-05-04
- NordScope Security FAQ (PDF, in force)
- Status page (status.portalpilot.io) — [planned — see WS-07]
- Evidence metadata (evidence.portalpilot.io) — [planned — see WS-06]
- MFA AAL2 enforcement posture — [planned — see WS-08]
- Token rotation visibility — [planned — see WS-09]
Request a security review
Need additional artefacts (SOC 2 Type II readiness statement, custom DPA, scoped pen test summary)? Email security@portalpilot.io and we will respond within 2 business days.