Calmer AgencyCalmer Agency
Start free

Trust

Trust & security, quietly serious.

Agencies trust Calmer with their clients' data. Here's how we protect it, where it lives, and what we can sign for your procurement, without the jargon.

Where your data lives

Your account and client data run on EU infrastructure: hosted in Switzerland (Exoscale), with the database in the EU, so they stay under EU/Swiss law. Our sub-processors, including email delivery (Mailjet), operate in the EU/EEA under Data Processing Agreements.

Encryption

Data is encrypted in transit (TLS) and at rest. Connections to the app and the database are encrypted end to end.

Tenant isolation

Every agency is a separate tenant. Access is enforced at the database level (row-level security) on top of application checks, so one agency can never see another's data, even in the unlikely event of a bug.

Access & least privilege

Team roles (owner, admin, manager, viewer) limit who can do what. The app connects to the database as a restricted, non-superuser role, so the database is the final safety net, not just the code.

Backups & recovery

The managed database is backed up automatically with point-in-time recovery, so data can be restored after a mistake.

Responsible disclosure

Found something? Please tell us via the contact form and we'll respond quickly. We appreciate good-faith reports.

EU and Swiss data residency

Sovereignty is our core guarantee, today. Your application and client data are stored in the EU and Switzerland on Exoscale, so they stay under EU and Swiss law and are GDPR-aligned by design.

For many EU and DACH buyers, knowing exactly where data lives, and under whose law, matters as much as a certification logo. With Calmer, that answer is simple and verifiable.

Infrastructure and certifications

Our application and client data run on Exoscale, a Swiss and EU cloud provider, in data centres located within the European Economic Area (Switzerland, Germany and Austria).

Exoscale has been ISO/IEC 27001 certified since 2018, and also holds ISO/IEC 27018, SOC 2 Type 2, C5 Type 2 and HDS certifications.

This means the infrastructure layer your data sits on is independently audited to recognised security standards today, while our own organisation-level certification is on the roadmap (see the compliance section below).

EU data, and the US ad platforms

When we say EU-first, we mean your own data. Your agency account and your clients' operational data, onboarding, requests, approvals, client updates, files and messages, are hosted in the EU and Switzerland on Exoscale and handled in line with GDPR.

The advertising platforms themselves, Meta, Google and TikTok, are US-based, and your clients advertise there regardless of Calmer. When you connect a client's ad account through Calmer, we use each platform's official access flow and store only the access token, encrypted, in the EU. The ad data itself stays on those platforms under their terms, we do not move it.

We do not sell data, and we do not send client or operational data to ad platforms for marketing. What Meta, Google and others do with data on their side is governed by their own privacy policies (for example Google and Meta).

For our own stack we deliberately choose EU providers, hosting on Exoscale, email on Mailjet in the EU and EU-hosted analytics. For the ad platforms there is no full EU equivalent, since your clients need to reach audiences where they are, so our approach is transparency and data minimisation rather than pretending a swap exists.

Data Processing Agreement (DPA)

We provide a Data Processing Agreement you can sign for your own records and for your clients' procurement teams. It covers the roles of each party, our sub-processors, the security measures we apply and where your data is stored.

The DPA is available on request via the contact page. You can also review our sub-processors at any time.

Sub-processors

We keep a current list of the sub-processors that help us run the service: hosting, content delivery and edge on Exoscale in the EU and Switzerland, email delivery via Mailjet in the EU, and EU-hosted product analytics.

See the sub-processors page for the live list.

Independent testing

We commission external security testing, including penetration testing, before serving larger customers, and we fix findings on a priority basis. This is part of how we work, not a one-time checkbox.

Compliance roadmap (SOC 2 / ISO 27001)

To be clear: we are not yet SOC 2 or ISO 27001 certified. Formal certification is on our roadmap.

In the meantime we already operate to those principles: encryption in transit and at rest, tenant isolation via row-level security, least-privilege access, EU and Swiss data residency, audit logging, and a signable DPA.

Enterprise prospects can request our current security overview and DPA via the contact page.