MLtitude trust center.

The short version

• Data residency. Customer content is hosted in the European Union (Hetzner, Germany).
• Encryption. TLS 1.2+ in transit; AES-256 at rest at the storage layer.
• No training on your content. Briefs, documents, modules, decks, and learner data are never used for model training — by us or by our sub-processors.
• Sub-processors are listed and dated. See Sub-processors. We announce changes 30 days in advance.
• You can sign a DPA. See the Data Processing Agreement. Standard Contractual Clauses (Decision 2021/914) are incorporated by reference.
• You retain your data. You can export it any time and request deletion at info@edothsoft.com; we delete it from active systems within 30 days and from backups within 90.
• Honest about what we are. We are GDPR-aligned. We are not SOC 2 or ISO 27001 certified today. Our roadmap is below.

Documents and pages

For financial services reviewers

Most of our customers are corporate L&D teams inside regulated financial-services organisations. The points below are the answers we are most often asked during third-party risk assessment.

Data residency & cross-border transfers

• Customer content is stored on Hetzner Online GmbH infrastructure in Germany (Falkenstein and Nuremberg regions).
• Database backups are encrypted and held in the same region.
• Model-provider calls (currently OpenAI) constitute a transfer to the United States. Standard Contractual Clauses are in place; zero-retention is enabled where the provider offers it.
• Customer data is never replicated outside the EU for analytics or training purposes.

Model usage and prompt handling

• The model providers we use are listed and dated on the sub-processors page.
• Prompts contain only the brief and parameters needed to fulfil the request. We do not embed authenticated user identifiers or customer-account metadata into prompts.
• Outputs are stored alongside the originating document in your tenant; they are not sent back to the provider for training or evaluation.
• We do not fine-tune or retrain any model on customer content.
• See Data & model governance for full detail.

Access controls

• Production access is limited to a small set of authorised engineers, governed by SSH key + role.
• Database access is logged. Application access by MLtitude personnel to a specific customer tenant requires support context and is auditable.
• Customer-side: role-based access (super admin, org admin, member, trainer, trainee) with org-scoped isolation.

Incident notification

• We notify affected customers of a confirmed security incident without undue delay, and in any case within 72 hours, in line with Article 33 GDPR — see the DPA, Section 6.
• The named contact for incident notification is your account's organisation admin.

Right to audit

Customers on commercial agreements may request audit information (sub-processor list, security questionnaire responses, penetration-test summary when available) under the terms of the DPA. We do not offer on-site audits at present. Contact info@edothsoft.com with a formal request.

Compliance posture, honestly

We don't claim certifications we don't hold. Today we are GDPR-aligned by design (EU data residency, lawful-basis-by-purpose, signable DPA, sub-processor transparency, right-to-erasure workflow). We are not currently SOC 2, ISO 27001, or HIPAA certified, and we are not pursuing those certifications on a published timeline. The compliance page sets out what is in place today and what's on the roadmap.

Contacts

For security incidents and vulnerability reports, data-subject requests (access, erasure, portability), legal and DPA signature, vendor questionnaires, and general queries, email info@edothsoft.com.

The legal entity

The MLtitude Service is operated by Edoth Electronics, a private limited company incorporated in India, with its registered office in Hyderabad, Telangana. Edoth Electronics is the data controller for personal data we collect about customers, and the data processor for content customers submit to the Service. Standard Contractual Clauses govern any data transfer outside the European Economic Area.

Policy changes

Material changes to the documents linked above. Newest first. This is the public log a governance reviewer can use to verify "what's changed since I last read this".

• 2026-05-15 · Trust center

  Published the Trust Center, Data & Model Governance, Compliance Posture, Responsible Disclosure, and pre-filled Security Questionnaire pages.

  Centralising what governance, risk, and procurement teams ask about so reviewers can find it in one place.

• 2026-05-15 · Contacts

  Consolidated trust-related contact to info@edothsoft.com for vulnerability reports, questionnaires, data-subject requests, and DPA execution.

• 2026-05-15 · Audit log

  Org admins can now export the full audit log for their workspace as CSV from Workspace → Activity. The export contains all events, not just the visible page.