EU-only email delivery, encryption everywhere, transparent sub-processors, and GDPR compliance by design. Everything your procurement team needs in one place.
All email delivery is processed in AWS SES eu-west-1 (Ireland). Email content never leaves the European Economic Area for delivery purposes.
Application database hosted in Supabase eu-central-1 (Frankfurt). Delivery metadata, account data, and event logs stay in the EU.
Outbound email sends via AWS SES in Ireland (eu-west-1). Circuit breakers detect failures fast and surface the exact error — no silent failures.
Hosted on Vercel with EU edge compute. API requests are processed at the nearest edge location; SCCs govern any non-EU processing.
All API traffic is encrypted with TLS. SMTP delivery uses opportunistic TLS with STARTTLS.
All stored data — delivery metadata, account data, event logs — is encrypted at rest with AES-256.
API keys are hashed with SHA-256 before storage. Plain-text keys are shown once at creation and never stored.
All webhook payloads are signed with HMAC-SHA256. Verification is documented in the manual.
| Data type | Retention | Notes |
|---|---|---|
| Email content | 7 days | Processed in transit; stored only for delivery retry window |
| Delivery metadata | 90 days | Bounce codes, delivery timestamps, complaint flags |
| Engagement data | 90 days | Open and click events (if tracking enabled) |
| Account data | Active + 30 days | Deleted within 30 days of account termination |
| Billing records | 7 years | Required by Dutch law |
| Provider | Purpose | Location | Transfer basis |
|---|---|---|---|
| AWS SES | Email delivery | EU (eu-west-1, Ireland) | No international transfer |
| Supabase | Database | EU (eu-central-1, Frankfurt) | No international transfer |
| Clerk | Authentication | United States | SCCs |
| Stripe | Payments | United States | SCCs |
| Vercel | Application hosting | US / EU edge | SCCs |
Changes to this list are communicated in advance per DPA Section 9. Enterprise customers requiring a countersigned DPA can request one at legal@truncus.co.
Van Moose BV is registered in Amsterdam, Netherlands (KvK: 97411698). We process data under GDPR Article 28 as a data processor.
In the event of a data breach affecting customer data, we notify within 72 hours per GDPR Article 33.
We assist with access, rectification, erasure, restriction, portability, and objection requests within 72 hours.
Real-time delivery metrics, provider health, and platform status available at truncus.co/status with a JSON API.
Contact us at security@truncus.co or legal@truncus.co for procurement inquiries.
Start free