Trust & Security
1. Where your data lives
Client data submitted to SAMRoute lives within the European Union, on our own off-cloud production infrastructure in Ille-et-Vilaine, France (Brittany). Development and testing environments run on the same site, alongside production.
OVHcloud (in France) currently carries the web-front and CDN layer (the user-facing pages). The production facility remains off-cloud by design. Customers preferring an opex/SaaS arrangement can request a cloud-hosted deployment on OVHcloud, which we extend on written agreement.
2. Authentication and logging
Access to the portal goes through standard authentication. Standard application logs record requests and errors for operational monitoring and post-incident analysis. The credentials each customer uses stay personal to their account. Any access through those credentials counts as the customer's action under the Terms of Service.
3. Sub-processors
Operating SAMRoute requires a small number of third parties acting under our instructions. They follow equivalent confidentiality and security obligations.
| Sub-processor | Role | Region |
|---|---|---|
| OVHcloud | Web-fronts and CDN today; scope may extend to production hosting under customer notice | France |
| Stripe | Payment processing for billing | EU / Ireland |
| Mailgun | Transactional and operational email | EU (mailgun.eu) |
Customers can request the up-to-date list at any time via the legal channel below, and we aim to notify material changes before they take effect.
4. Retention and deletion
We retain customer data for the duration of the engagement and during the export window that follows the end of the contract. After that window, data is removed from active environments as part of the standard archival cycle. Backups follow the same cycle. The Data deletion page describes how to request earlier removal of personal data, including under GDPR Article 17.
5. Data Processing Agreement
We make a Data Processing Agreement (DPA) available on request for customers acting as data controllers. It specifies the purposes, the categories of data, the security measures, the retention periods, and the procedures for exercising data-subject rights. Requests go to legal@oriskami.com.
6. Incident response
If a personal-data breach affects customer data, we notify the affected customer as soon as possible so that they can comply with their own legal obligations. Send reports of suspected vulnerabilities, anomalies, or misuse to security@samroute.com, and we monitor that mailbox. As the practice grows, we will publish a /.well-known/security.txt advertising the same address.
7. Standards and certifications
The security work behind SAMRoute follows the controls described on this page and in the contractual documents. We state formal certifications explicitly when we obtain them, with date and certifying body. The page therefore reflects the current standing at any moment. It lists the controls in force today, and certifications will appear here as we achieve them.
8. Reach us
For privacy, GDPR, or DPA matters, write to legal@oriskami.com. For security reports or incident notifications, write to security@samroute.com. We monitor both addresses.