Docs / Compliance
Compliant by construction
GDPR compliance in Alleex Cloud is not a setting or a checklist item. It is architectural: EU residency, audit log, DSAR portal, and cookie consent are composed in at build time — the engine enforces them.
The model
Why construction, not configuration
Most app builders treat compliance as a configuration concern — you toggle a GDPR flag, you pick an EU region, you remember to install a cookie consent library. Alleex Cloud treats compliance as an architectural constraint enforced at compose time.
Concretely: the composition engine will not produce a plan that includes an analytics module without also including compliance-eu. It will not generate an app that runs outside the EU. It will not skip the DSAR handler for a module that processes personal data. These are not rules you configure — they are invariants the engine enforces.
The result: every app that comes out of Alleex Cloud starts from the same compliance baseline. You can tighten it further; you cannot weaken it below the baseline.
Coverage
The five compliance pillars
EU data residency — default, not a toggle
ADR-0001Every app runs on EU infrastructure: Neon Postgres (Frankfurt, one project per app), Cloudflare EU Workers and R2, Better Auth self-hosted in your database. Your app data does not leave the EU. There is no region toggle — EU residency is the only option for app data.
Hash-chained audit log — every tier
compliance-eu moduleEvery state-changing action writes an append-only row whose hash chains to the previous row (server-side Postgres trigger). Chain heads are periodically witnessed in Sigstore Rekor — a public transparency log — so retroactive alteration is detectable by any third party. Exportable as JSON/NDJSON with the Rekor index, in every app, every tier.
DSAR self-serve portal — GDPR Art. 15 / 17 / 20
compliance-eu/dsar.tsThe compliance-eu module generates a DSAR portal into every app that processes personal data: access, portability, and erasure. Verified by email token, fulfilled by a background job that calls each module's handler. Every step is hash-chained. The 30-day fulfilment window is tracked; overdue requests are surfaced in the dashboard.
Cookie consent — GDPR-valid by default
compliance-eu moduleEvery app that installs a personal-data module gets a self-hosted consent banner — no third-party CDN consent script. Equal-prominence accept/reject, granular categories, consent stored with expiry and a version for re-consent. No analytics or marketing tag fires before consent. The composition engine rejects a plan that adds analytics without compliance-eu.
Signed consent receipts
compliance-eu moduleConsent capture produces an Ed25519-signed receipt the data subject can verify offline. The receipt includes the consent version, categories, timestamp, and a reference to the relevant privacy policy version.
Scope
What is and is not covered
| Area | Status | Notes |
|---|---|---|
| GDPR Art. 5 — Lawful basis | Covered | Consent capture with signed receipts; compliance-eu enforces lawful-basis documentation per module. |
| GDPR Art. 13 / 14 — Transparency | Covered | Privacy policy generated per-app, updated when modules change. Subprocessors listed per-app. |
| GDPR Art. 15 / 20 — Access & portability | Covered | DSAR portal generated per-app; export as JSON. |
| GDPR Art. 17 — Erasure | Covered | Erasure request handled by each module's dsarHandler; hash-chained deletion record kept. |
| GDPR Art. 32 — Security | Covered | Hash-chained audit log, Rekor witness, encrypted at rest (Neon), TLS in transit. |
| EU AI Act — Risk register | Covered | compliance-eu generates an AI-Act risk register per app when an AI module is composed. |
| SOC 2 Type 2 certification | Roadmap / not in scope | In progress — target Q4 2026. No badge until report is issued. |
| ISO 27001 certification | Roadmap / not in scope | Roadmap — after SOC2. No date committed. |
| HIPAA | Roadmap / not in scope | Not in scope for V1. US healthcare data is not a launch target. |
This table describes Alleex Cloud's technical and organisational measures. It is information, not legal advice — consult your DPO or counsel for your specific obligations.
Data transfers
No DPF reliance
Alleex Cloud does not rely on the EU-US Data Privacy Framework (DPF) or Privacy Shield for any data transfer. Your app's data does not leave the EU.
The Alleex Cloud builder dashboard itself uses US vendors (Vercel, Clerk) under Standard Contractual Clauses — that is separate from your app data, and stated plainly on the compliance page. We surface our own US-vendor exposure rather than hiding it.
Questions your DPO will ask
The full compliance page has the subprocessor table, data residency breakdown, certification status, and a contact for DPO conversations.
This page describes Alleex Cloud's technical and organisational measures. It is information, not legal advice.