GDPR-compliant
Our platform meets European privacy standards. A Data Processing Agreement (DPA) under Art. 28 GDPR is available to all customers and is signed together with your order on request.
Trust Center
Your data.
Your control.
At Temporalis EMS, security and privacy aren't add-ons — they're the foundation. We build on European infrastructure, real GDPR compliance, and one clear principle: you retain sovereignty over your data at all times.
Foundations
Secure. European. Isolated.
Four pillars our platform is built on — and that we can demonstrate at any time.
Servers in Germany
All core services run in the Hetzner data centers Falkenstein and Nürnberg. At the core level we don't use any US sub-processors — your data does not leave the EU.
Encryption
End-to-end on all transport paths with TLS 1.3. Data at rest is encrypted with AES-256. Key rotation and hardened secret stores are part of our standard setup.
Multi-tenant isolation
Every tenant gets its own, physically separated ArangoDB database. There are no shared tables, no row-level-security gymnastics — one tenant will under no circumstances see another's data.
Processes
What we do every day to keep your data safe.
Backup strategy
Daily automated backups per tenant database with 30-day retention. Restore procedures are documented and regularly tested.
Audit logs
Every administrative action — role changes, data deletions, exports, invitations — is logged without gaps. The logs are immutable and can also be exported to third-party systems on request.
Annual penetration test
Once a year we have Temporalis EMS checked for vulnerabilities by an external, certified vendor. The report is available to Enterprise customers under NDA upon request.
Incident Response
A clearly defined notification chain with a maximum response time of 24 hours. For reportable incidents, we inform you and, where required, the competent supervisory authorities within the statutory deadlines.
Legal & Compliance
Legally well-positioned.
- Data Processing Agreement (DPA) under Art. 28 GDPR available
- Technical and organizational measures (TOMs) documented
- Data export possible at any time — JSON and CSV, no vendor lock-in
- Right to erasure fully implemented (Art. 17 GDPR)
- No profiling, no automated individual decisions
- No third-party sales, no tracking for advertising purposes
Sub-processors
Who has technical access?
Transparently listed — no surprises in the fine print.
| Vendor | Purpose | Location / Region |
|---|---|---|
| Hetzner Online GmbH | Hosting & infrastructure | Germany (Falkenstein / Nürnberg) |
| Mailjet by Sinch | Transactional email | EU |
| Cal.com (self-hosted) | Demo booking | Germany (hosted on Hetzner) |
| Stripe Payments Europe | Payment processing | Ireland (EU) |
More questions?
Get in touch.
We'll answer honestly.
Whether it's specific compliance questions, details for your privacy team, or a security issue you've found — we're here to talk.