Trust Center

Mental-health data is among the most sensitive there is. Here's how we protect it — and exactly who helps us run the service.

Our commitments

EU data residency

Your data is stored in the EU (Frankfurt, Germany).

Encrypted in transit and at rest

Traffic is served over TLS, and sensitive clinical fields are encrypted at the application layer before they are written.

Least-privilege access

Row-level security isolates every account's data; staff access is limited and auditable.

Data minimisation

We collect only what care requires and use privacy-friendly, cookieless analytics.

Subprocessors

We use a small set of vetted providers to operate Avand, each bound by a data-processing agreement. We keep this list current; material changes are announced here.

Provider	Purpose	Region	Safeguard
Supabase	Database, authentication and file storage	Germany (EU)	Processed in the EU · DPA
Cloudflare (Stream)	Video hosting (session and workshop recordings)	EU / Global	Standard Contractual Clauses · DPA
Daily.co	Live video sessions and workshops	EU / United States	Standard Contractual Clauses · DPA
Deepgram	Speech-to-text transcription	United States	Standard Contractual Clauses · DPA
Zoho (ZeptoMail)	Transactional email	EU	Data-processing agreement · DPA
SentryPlanned	Error and performance monitoring	EU	Data-processing agreement · DPA
Plausible AnalyticsPlanned	Privacy-friendly, cookieless analytics	Germany (EU)	Processed in the EU · DPA
Application hosting (VPS)	Application hosting	EU	Data-processing agreement
Google (Sign-in)	Optional Google sign-in	EU / United States	Standard Contractual Clauses · DPA
Payment providerPlanned	Payment processing	To be confirmed	Data-processing agreement

* May process special-category (health) data — covered by a transfer-impact assessment and explicit consent where required.

Reporting a vulnerability

Found a security issue? We want to hear from you and we'll respond promptly:

security@avand.online