Built for institutional-grade security.
When it comes to your data security, don't compromise.
How Misano works today.
EU data residency
Production database in Supabase Frankfurt. Customer data does not leave the EU.
No training on your data
LLM calls go to Anthropic (Claude) and OpenAI. Neither vendor uses your API data to train its models.
Encryption at rest and in transit
AES-256 at rest in Supabase. TLS 1.3 in transit. Standard managed-database posture.
Per-tenant isolation
Row-level security at the Postgres layer. One customer cannot read another customer's data.
Google OAuth only
No password storage. SSO and 2FA are on the roadmap, not yet live.
GDPR-native
Right to access, right to erasure, DPA signable in app. Czech ÚOOÚ is the supervisory authority.
Every vendor with access.
These are the only third parties that touch data. The list is updated whenever it changes. Third parties receive data in isolation and with the minimum context necessary.
| Vendor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, auth, file storage | EU · Frankfurt | EU residency |
| Anthropic | LLM inference (Claude) | EU + US | No training |
| OpenAI | LLM inference | US | No training |
| Exa | Neural web search (Scout) | US | Query-scoped |
| Stripe | Payments and invoicing | EU · Ireland | PCI DSS |
| Resend | Transactional email | US | Email-scoped |
Full sub-processor list at /legal/sub-processors.
Hold us to the same bar you hold your portfolio to.
The security of customer data and our choice of third-party tools is a strategic, long-term decision we don't take lightly.