Matchquote

Matchquote

AI studio · live in 14 days

ROBook demo

Legal · Security

Security Overview

Last updated: 23 April 2026

Matchquote is a small productized AI studio. We keep the attack surface small on purpose: EU-sovereign infrastructure, a handful of well-known subprocessors, least-privilege access, and no training on customer data. This page describes the technical and organizational measures we rely on.

1. Infrastructure and data residency

  • Primary region: AWS eu-central-1 (Frankfurt, Germany). Customer content and derived data stay in Frankfurt.
  • AI inference: Anthropic Claude accessed via AWS Bedrock. The Bedrock configuration runs inside the same EU region; prompts and outputs are not sent to OpenAI and are not routed to a US endpoint for processing.
  • No training on customer data. Customer content is not used to train or fine-tune any shared model.
  • Static web tier: Vercel with EU edge preferred; Cloudflare in front for CDN and WAF.

2. Encryption

  • At rest: AES-256 via AWS KMS-managed keys for all durable storage (S3, databases, object storage). Separate keys per environment.
  • In transit: TLS 1.2 or higher on all endpoints. HSTS enabled on the production domain.
  • Field-level: Romanian CNPs appearing in B2C invoices are encrypted at the application layer with separate key material, on top of at-rest encryption.

3. Access controls

  • Identity: SSO and IdP-backed for all Matchquote staff; MFA required.
  • Authorization: least-privilege IAM roles, production access gated and logged.
  • ANAF / SPV integration: OAuth2 per CUI, authorized directly by the accountant for each client. No master token. Access tokens expire (90 days) and refresh tokens are stored encrypted with separate key material.
  • No shared credentials; admin actions are individually attributable in logs.

4. Logging and audit

  • Application audit logs for customer-facing administrative actions.
  • Infrastructure logs (AWS CloudTrail) for privileged actions, retained 12 months.
  • Inference audit trail: prompts and outputs for regulated products (e.g. SPV Copilot) are retained for audit per the DPA, scoped to the customer's tenant.

5. Tenant isolation

Each customer's content is logically separated by tenant identifiers, with application-level authorization checks on every request. Bedrock sessions are scoped per request; no long-lived cross-tenant caches.

6. Backups and disaster recovery

  • Daily backups of durable stores with 30-day retention.
  • Point-in-time recovery enabled for the primary database.
  • Recovery objectives: RTO ≤ 24h, RPO ≤ 24h for the MVP tier; tighter targets available for Pro and enterprise plans as agreed in the SOW.

7. Secure development

  • All code in version control; reviewed before merge.
  • Dependency vulnerability scanning on every pull request.
  • Secrets stored in a managed secrets service; no secrets in code.
  • Staging environment mirrors production; migrations are reviewed.

8. Incident response

  • Defined incident classification and on-call rotation.
  • Breach notification: in the event of a confirmed personal-data breach, customers are notified within 72 hours of becoming aware, per GDPR Art. 33 and our DPA.
  • Post-incident reports include root cause, impact, remediation, and timeline.

9. Regulatory posture

  • GDPR: controller for marketing data, processor for customer content. DPA available at /legal/dpa.
  • ANSPDCP: we track the Romanian authority's public enforcement decisions and adjust practices accordingly.
  • AI Act (Regulation 2024/1689): AI outputs are labelled as AI-generated. For high-risk use cases (e.g. tax response drafting), human review by a qualified professional is required before the output is acted upon. We do not deploy solely-automated decisions with legal effect on natural persons.
  • CECCAR / Camera Consultanților Fiscali: Matchquote's compliance products are productivity tools; they do not replace an authorized tax consultant. Professional responsibility for filings stays with the licensed accountant.

10. Subprocessors

The current subprocessor list is published in the DPA. We give customers 30 days' notice before adding or replacing a subprocessor.

11. Responsible disclosure

If you believe you've found a security vulnerability, please email hello@matchquote.ai with the subject “Security”. We commit to acknowledge within 2 business days, investigate in good faith, and will not take legal action against researchers who follow responsible disclosure.

12. Changes

We update this page when our posture materially changes. The “Last updated” date at the top reflects the latest revision. Customers under an active DPA are notified of security-material changes by email.

Matchquote is a small studio, not a SOC 2-certified enterprise vendor. If your procurement process requires a SOC 2 Type II or ISO 27001 report, please ask — we can walk you through our compensating controls and the upstream certifications of our subprocessors (AWS, Google, Stripe).

Questions? hello@matchquote.ai