Last updated 2026-07-13
Security and hosting: where your data lives and how it is protected
Security and hosting questions deserve straight answers, so this page states our posture plainly, including what we do not yet have. If your vendor-risk process needs more, ask us for a vendor risk packet through contact support.
Where your data is hosted
Your organization's data is stored and processed in the European Union, on managed European cloud infrastructure. MetaFrazo does not run its own data centers for customer data.
- Data at rest stays in the EU on a managed European cloud platform.
- AI analysis on the default MetaFrazo AI engine is processed in the EU by a single European AI provider, under a contractual zero-retention and no-training term: your data is not retained by the provider and is never used to train a model. The EU location reflects how that provider operates the service.
- The dashboard is served from a global content-delivery edge that holds no customer data at rest.
The complete, current list of the third parties that process data on our behalf (our sub-processors) is maintained in your account under Terms and policies. We keep that list as the single source of truth rather than restating vendor names here, so it never goes stale.
Which certifications MetaFrazo holds
We under-claim on purpose. The honest answer today:
- MetaFrazo itself holds no security certification of its own: not ISO 27001, not SOC 2. We will state a certification here only once it is actually held, never before.
- Our European infrastructure providers are ISO 27001-certified. That covers the platforms our service runs on, not MetaFrazo the application. We describe it at that level and do not imply a certification we do not hold.
If anything, in the product or elsewhere, told you that MetaFrazo is ISO 27001- or SOC 2-certified, or that it runs on a specific US cloud, that is incorrect. Please rely on this page and on Terms and policies.
GDPR and your data rights
MetaFrazo is operated in line with the EU General Data Protection Regulation (GDPR).
- Roles. We act as the data controller for your account, billing, and administrative data, and as a data processor for the Jira content and events we analyze on your behalf.
- Residency. Our own processing, including the default MetaFrazo AI analysis, takes place within the EU/EEA, so it needs no international-transfer mechanism. A transfer outside the EEA arises only from your own choices, such as opting into a non-EU AI provider.
- Data Processing Agreement. A DPA is available on request and is incorporated into our Terms; see Terms and policies.
- Your rights. You can erase your account and its data yourself from Profile, Danger Zone (see Delete my account); a full data export is available on request through support.
- Minimization. Data sent for AI analysis is pseudonymized: it does not include names or email addresses.
MetaFrazo supports your compliance efforts but does not by itself guarantee regulatory compliance, and it is not a full end-to-end compliance platform. For the evidence it does produce, see GDPR, NIS2, DORA: what does MetaFrazo give me?.
Tenant isolation
Your data is scoped to your organization at the database level, so other MetaFrazo customers cannot see it regardless of what the application does. This is our single highest-priority control, covered in depth in How is my organization's data isolated from other tenants?.