Trust Center
Compliance evidence for EU-facing AI workflows.
Corelyx is built around EU-first automation controls: data-flow visibility, human approval gates, run-level audit trails, DPA and subprocessor transparency, EU-only mode for eligible workflows, and AI Act-ready controls. Final compliance depends on use case, configuration, customer role, and the providers a workspace enables.
Security overview
Technical and organisational measures, vulnerability disclosure, incident handling, and audit status.
GDPR DPA
Article 28 processor terms for business customers.
Subprocessor registry
Structured provider, purpose, region, DPA, SCC, retention, and transfer-basis information.
Data residency matrix
EU-first infrastructure, EU-only mode boundaries, and known third-country transfer risks.
AI Act readiness
Risk classification support, human oversight, transparency notices, audit logs, and exports.
Privacy policy
Controller notice, data categories, legal bases, transfers, retention, and rights.
Impressum
Legal identity, responsible contact, security contact, data-protection contact, and contracting entity.
DPIA template
A customer-facing template for higher-risk workflow assessments.
Technical and organisational measures
TLS in transit and provider-managed encryption at rest.
Server-side credential access through established token and Vault helpers.
Workspace and program access checks with role-based permissions.
Human approval gates for sensitive AI and external-system actions.
Execution metadata, payload minimisation, retention jobs, and secret redaction.
Internal web-to-runtime calls use shared internal authentication helpers.
Assurance status
ISO 27001 / SOC 2
Corelyx is not currently ISO 27001 or SOC 2 certified. We are evaluating external certification as part of our enterprise readiness roadmap.
ISO 42001
Not currently certified. AI management-system certification is being tracked as part of the external assurance roadmap.
Pen test / external audit
No completed third-party penetration test is currently published. External testing is planned before enterprise commitments that require it.
CSA STAR / NIS2 / CISPE / Green Web
Self-assessment documents are maintained in the repository and should be published only when evidence is complete and current.
Status page
Public status page is planned. Until it is live, operational incidents are communicated through customer support channels.
Vulnerability disclosure
Please report security issues privately to security@corelyx.app. The detailed policy, scope, severity targets, and coordinated disclosure expectations are published on the Security page.