Caugia is an EU-first product. Customer data at rest and in transit stays inside the European Union except for the final Sophie prompt payload, which is transmitted to Anthropic under a zero-retention, no-training agreement. The full list of subprocessors is below.
Where data is stored
The primary Postgres database and file storage run in Supabase eu-central-1 (Frankfurt). Static assets and Next.js functions run on Vercel’s EU edge. Backups and point-in-time recovery snapshots are stored in the same region.
LLM inference
Sophie calls Anthropic’s Claude API in the United States. Prompts are constructed server-side and redact workspace identifiers before outbound. Anthropic does not retain prompt content and does not train models on it under our contract. For customers who require strict EU-only processing, Sophie can be disabled per workspace while the deterministic scoring engine continues to function.
Subprocessors
Current subprocessors and their roles:
| Subprocessor | Purpose | Region | DPA |
|---|---|---|---|
| Supabase | Managed Postgres, Storage, Auth | EU (eu-central-1, Frankfurt) | Signed |
| Vercel | Next.js hosting, CDN | EU edge | Signed |
| Anthropic | LLM inference for Sophie | US (zero retention, no training) | Signed |
| Stripe | Billing, invoicing | EU (Ireland) | Pending signature |
| Resend | Transactional email delivery | EU | Pending signature |
Change notifications
We notify design-partner customers by email at least 30 days before adding or removing a subprocessor. The change log is maintained in this page and in SECURITY.md.
Last updated 2026-04-24.
← Back to trust hub