Trust, security & legal

How TapPass protects your data, our security and compliance posture, and every legal document in one place. Built in the EU, for AI you can put into production with confidence.

At TapPass, trust is built into everything we do. From our EU infrastructure to how we handle every action an AI takes, the platform is designed to meet a high bar for security, data protection and compliance. This trust center gives you direct access to the policies, practices and safeguards that protect your data, together with every legal document in one place. We run our own operations on TapPass every day, and extend the same protection to you.

Message from our CEO
"AI that takes action deserves the same accountability we expect from people. We built TapPass so every agent stays under your rules, on the record, and in the EU. Trust is earned through transparency and rigorous practice, and by running our own AI under TapPass, every single day."
Jens Bontinck · Cofounder & CEO, Cogniqor BV

The essentials

Hosting
Hosted in the EU
Data protection
GDPR (Regulation 2016/679)
AI regulation
Built for the EU AI Act
Legal entity
Cogniqor BV
Registered in
Antwerp, Belgium
VAT / KBO
BE 1033.796.306
Service status
Data protection officer
Security contact

Legal documents

The agreements and notices that govern your use of TapPass.

Security

How we protect your data and every action your agents take, by default.

EU-only hosting

Hosted on Google Cloud in Belgium (europe-west1). Your data stays in the European Union, end to end.

Encryption everywhere

TLS in transit and AES-256 at rest. Secrets and model keys are sealed with envelope encryption in Cloud KMS, scoped per organisation.

Tenant isolation

Every organisation's data is isolated at the database layer with row-level security, so one customer can never reach another's.

Tamper-evident audit

Every action an agent takes is written to a hash-chained, append-only audit trail you can verify end to end.

Access control

Access to production is role-based and least-privilege, with multi-factor authentication on administrative accounts and periodic access reviews.

Secure development

Changes go through peer review, automated dependency and security scanning, and CI checks before they reach production.

Resilience & continuity

Keeping the service available, and your data recoverable.

TapPass runs on managed, redundant cloud infrastructure in the EU. The production database is backed up automatically every day, with point-in-time recovery, and recovery is tested periodically. We maintain documented business-continuity, disaster-recovery and incident-response plans, and publish live uptime and incident history on our status page.

Backups
Daily, automated
Recovery
Point-in-time
Infrastructure
Redundant EU cloud

How we handle your data

TapPass is built and hosted in the European Union. For the data your agents send through the platform, you are the controller and TapPass acts as a processor on your instructions, under a Data Processing Agreement. For your account and the data you give us directly, such as billing and contact details, TapPass is the controller.

Your data stays yours. We process it to provide and secure the service, and we do not sell it. Where we rely on subprocessors, they are listed on our trust portal and bound by equivalent obligations.

For the full detail, including legal bases, retention periods, international transfers and how to exercise your rights, see the Privacy Policy. Data processing terms for customers are set out in our Data Processing Agreement; a signed counterpart is available on request via dpo@tappass.ai.

Subprocessors

The third parties that may process data to help us run TapPass. Each link opens that provider's data-processing terms in a new tab.

ProviderPurposeRegion
Google CloudGoogle Cloud Application hosting and database EU (Belgium)
CloudflareCloudflare Edge security, CDN and TLS EU and global edge
ResendResend Transactional email United States
PostHogPostHog Product analytics EU
SentrySentry Error monitoring EU
OpenAI Powers the in-product assistant (Jorge) United States
GoogleGoogle (sign-in) Single sign-on, when you enable it Global
Microsoft (sign-in) Single sign-on, when you enable it Global
Additional AI model providers, engaged only when you enable that model with your own key (BYOK). Your prompts are never used to train any model.
AnthropicAnthropic Model inference, on activation United States
Google GeminiGoogle Gemini Model inference, on activation United States
Mistral AIMistral AI Model inference, on activation EU (France)
GqGroq Model inference, on activation United States
DeepSeekDeepSeek Model inference, on activation China
KiMoonshot (Kimi) Model inference, on activation China
MiniMaxMiniMax Model inference, on activation China
Alibaba QwenAlibaba (Qwen) Model inference, on activation China

We give advance notice before adding a new subprocessor. Tools we use to run our own business (for example code hosting, CRM and monitoring) process our data, not the data you put into TapPass, and are described in our Privacy Policy.

Request documents

Some documents we share on request, usually under a mutual NDA. We respond quickly.

Compliance & data protection

The frameworks TapPass is built around, and the programme behind them.

TapPass is designed around the EU's data-protection and AI rules. We maintain a Record of Processing Activities, run Data Protection Impact Assessments for higher-risk processing, operate a documented personal-data breach procedure with 72-hour notification, and make a Data Processing Agreement available to every customer. We never use your data to train AI models.

GDPR EU AI Act EU data residency Belgian Code of Economic Law DPA available DPIA & RoPA 72-hour breach notification No training on your data

A question about trust, privacy or legal?

Whether you need a signed DPA, a security review or a specific document for procurement, we are quick to respond.