Trust & commitments
Everything an enterprise procurement team needs to evaluate Overturo.
Some commitments below are pending Legal sign-off.
SOC 2 status
Type II audit in progress (estimated completion: TBD)
Request the full audit reportData Processing Agreement
Pending Legal sign-offOverturo runs sovereign trust orchestration — your subjects' data stays in their home region and is provably never centralized. Download the executed Data Processing Agreement, with per-region processing terms and proof of residency for your regulators.
Download the DPACountersigned DPAs available via the contact form.
Sub-processors
List last reviewed on June 04, 2026
| Provider | Purpose | ||
|---|---|---|---|
| Amazon Web Services | Infrastructure | CH, EU, UK, US | Apr 15 |
| Cloudflare | Infrastructure | CH, EU, UK, US | Apr 15 |
| Postmark | US | Apr 15 |
Regional data residency
Data stays home. Trust travels. Each person's data lives in their home region and never leaves it — cross-region trust is carried by a minimized, verifiable proof, not by moving the data. Residency is preserved by architecture, and every commitment below is backed by a tamper-proof audit trail.
| Region | Data stored in | Protected under | |
|---|---|---|---|
| Switzerland | Switzerland | Swiss FADP | Brokers Navigator Ltd (United Kingdom) |
| European Union | Italy | EU GDPR | Brokers Navigator Ltd (United Kingdom) |
| United Kingdom | United Kingdom | UK GDPR + DPA 2018 | Brokers Navigator Ltd (United Kingdom) |
| United States | United States | US state & sectoral privacy law (incl. CCPA/CPRA) | OmVi Labs Inc (Delaware, United States) |
Service-level commitments
Pending Legal sign-offLast updated on June 04, 2026
| Capability | Commitment | |
|---|---|---|
| Platform availability | 99.9% monthly | Uptime measured on the canonical /healthz endpoint |
| Global revocation propagation | 30s p99 | Time from revocation request to global cache invalidation |
| Attestation ingest latency | 200ms p99 | Time from POST receipt to attestation persisted |
| Receipt-verify endpoint availability | 99.9% monthly | Same instrumentation as platform availability |
Versioning & breaking-change policy
Pending Legal sign-offLast updated on June 04, 2026
- Current platform version: 1.0
- No breaking changes within v1.x; new major requires explicit opt-in.
- Deprecation window: 12 months minimum.
- If we ever rotate a security key, we honor the previous one for 90 days so your integration keeps working.
- Our SDK versions track the platform version, so upgrades are predictable.
Incident disclosure
We notify affected customers within 24 hours of incident confirmation, via the contact email on the account.
A full root-cause analysis is published within 14 days. RCAs include the timeline, contributing factors, and the remediation roadmap.
Subscribe to status updates via the contact form.
Compliance program
Show your auditor exactly what they ask for. Overturo covers GDPR, CCPA, healthcare, SOC 2, and DIATF out of the box, and produces a regulator-ready evidence package mapped to the specific citations your reviewers raise.