Compliance, by default
EU-hosted by default.
Not a setting.
Every Alleex Cloud app — from the first deploy — runs on EU infrastructure, ships GDPR-by-default modules, and produces a tamper-evident audit trail. No region toggle. No enterprise upsell. No DPF shortcut.
The contrast
Named, specific, verifiable
Differentiation by precision, not disparagement. Every claim is checkable. Lovable's SOC2/ISO are real — the contrast is that Alleex Cloud is EU-native, not compliant-with-a-toggle.
| Dimension | Lovable | Vercel | Alleex Cloud |
|---|---|---|---|
| EU data residency | Region toggle (opt-in per project) | DPF + SCCs (US transatlantic mechanism) | EU-native by default, no toggle |
| GDPR in generated apps | Your responsibility | Hosting only — n/a | compliance-eu module composed in automatically |
| Audit log | Enterprise tier | Enterprise tier | Hash-chained, every app, every tier; Rekor witness |
| DSAR self-serve | — | — | Portal generated into every app |
| Certification | SOC2/ISO (held) | SOC2/ISO/PCI/HIPAA (held) | SOC2 in progress — target Q4 2026 |
| DPF reliance | Not stated | Explicitly listed | None — we do not rely on DPF |
Honest about our own exposure: customer app data stays in the EU (Neon per-tenant, Cloudflare EU, Better Auth). The Alleex Cloud builder dashboard itself uses US vendors (Vercel, Clerk) under SCCs — that is separate from customer app data, and documented below.
Data residency
Two zones, no false impressions
Your app data — EU-resident
Neon Postgres (Frankfurt, one project per app) · Cloudflare EU Workers + R2 · Better Auth (self-hosted in your DB, not Clerk) · Resend EU. Does not leave the EU.
Alleex Cloud platform — builder dashboard
Vercel + Clerk (US, SCCs) host the Alleex Cloud product itself — not your app data. Stated plainly, not hidden.
Alleex Cloud does not rely on the EU-US Data Privacy Framework (DPF) or Privacy Shield for any data transfer. Customer app data does not leave the EU.
Auditability
Tamper-evident, hash-chained audit log
Every state-changing action writes an append-only row whose hash chains to the previous row (server-side Postgres trigger). Chain heads are periodically witnessed in Sigstore Rekor — a public transparency log — so retroactive alteration is detectable by any third party without access to our database. Exportable as JSON/NDJSON with the Rekor index, in every app, every tier.
Private beta: live audit-event counts and the last Rekor timestamp will be surfaced here from the running system once live — never a fabricated counter.
Data subject rights
DSAR self-serve (GDPR Art. 15 / 17 / 20)
The compliance-eu module generates a DSAR portal into every app that processes personal data: access, portability, and erasure. Verified by email token, fulfilled by a background job that calls each module's handler, every step hash-chained. 30-day window tracked; overdue requests surfaced in the dashboard. Consent capture produces an Ed25519-signed receipt the data subject can verify offline.
Cookies
GDPR-valid consent, by default
Every app that installs a personal-data module gets a self-hosted consent banner (no third-party CDN consent script). Equal-prominence accept/reject, granular categories, consent stored with expiry and a version for re-consent. No analytics or marketing tag fires before consent. The composition engine rejects a plan that adds analytics without compliance-eu.
Transparency
Subprocessors (Alleex Cloud platform)
| Subprocessor | Role | Jurisdiction | Transfer |
|---|---|---|---|
| Neon | Database (control-plane + per-tenant app DB, EU-Frankfurt) | US entity · EU data region | SCCs |
| Cloudflare | Customer-app edge hosting + R2 storage (EU) | US entity · EU Workers | SCCs + EU Workers |
| Vercel | Builder/control-plane hosting | US | SCCs |
| Clerk | Builder dashboard auth (NOT customer-app users) | US | SCCs |
| Polar.sh | Merchant of record — Alleex Cloud subscription billing + EU VAT | EU-established MoR | No SCC required |
| Anthropic | LLM inference (build-time only; BYO-key removes this) | US | SCCs |
| Resend | Transactional email (EU region) | US entity · EU region | SCCs |
| PostHog | Product analytics (EU Cloud, consent-gated) | EU | EU-hosted — no transfer |
| Sentry | Error monitoring | US | SCCs |
| Better Stack | Uptime monitoring / logs | EU/US | SCCs where applicable |
| Trigger.dev | Background job orchestration | US/EU | SCCs |
| Infisical | Secrets management | US (self-hostable) | SCCs; self-host removes transfer |
| GitHub | Source code, CI | US (Microsoft) | SCCs |
| Sigstore / Rekor | Audit-chain transparency witness (SHA-256 hashes only) | Public log (Linux Foundation) | N/A — hashes only |
Customer-app subprocessors vary by installed modules and are published per-app in that app's generated privacy policy.
Status
Honest certification status
| Framework | Status | Notes |
|---|---|---|
| GDPR | Architectural default (not a legal certification) | Stack defaults survive a GDPR audit; privacy policy + DSAR generated per-app. Not legal advice. |
| SOC 2 Type 2 | In progress — target Q4 2026 | Audit not complete. No SOC2 badge shown until the report is issued. |
| ISO 27001 | Roadmap — after SOC2 | No date committed. |
| EU AI Act | Module-level risk register | compliance-eu generates an AI-Act risk register per app. |
| DPF / Privacy Shield | Not relied upon | Alleex Cloud does not use DPF for any transfer. US vendors covered by SCCs. |
| HIPAA / PCI | Not in scope for V1 (PCI via Stripe in customer apps) | US healthcare data is not a launch target. |
We state status honestly rather than display badges we have not earned. This table updates as certifications are issued.
Need a DPO conversation before you sign up?
This page describes Alleex Cloud's technical and organisational measures. It is information, not legal advice — consult your DPO or counsel for your specific obligations.