Trust & compliance
Everything your procurement reviewer needs, in one place — security posture, privacy, DPA, sub-processors, and live status.
What you can review today
Security overview
Authentication, payments, integrations, hosting — how Pokor handles your data end-to-end.
Privacy policy
What we collect, why, and how anonymous session data is wiped on sign-out.
Data Processing Addendum
Processor obligations, sub-processors, breach notification, international transfers.
Service status
Current uptime and any active or recent incidents.
Terms of service
The contract that governs your use of Pokor.
Security contact
Report a vulnerability. We respond to every email.
What's in place today
The controls we run, and the boundaries we deliberately keep out of scope.
GDPR support
AvailableEU-hosted infrastructure, signable DPA, documented sub-processor list, 72-hour breach notification commitment.
TLS everywhere
In placeAll connections encrypted in transit. Integration OAuth tokens encrypted at rest.
Breach notification
Committed72-hour customer notification commitment in our DPA, with a documented incident response process.
Sub-processor transparency
PublishedA live list of every third party that touches your data, with prior notice before adding or replacing any of them.
Status reviewed quarterly. If something above is out of date, email [email protected] and we'll fix it.
Who processes your data
A short list, kept current. New sub-processors require customer notice under our DPA.
| Provider | Purpose | Region |
|---|---|---|
| Stripe | Payment processing | US (SCCs in place) |
| Hetzner | Hosting & database | EU |
| Cloudflare | Edge network, DDoS mitigation | Global |
| Postmark | Transactional email | US (SCCs in place) |
| PostHog | Product analytics | EU |
| Sentry | Error tracking | EU |
| Laravel Nightwatch | Application monitoring | US (SCCs in place) |
Need something a reviewer asked for?
Security questionnaire, counter-signed DPA, custom retention — ask.
Email [email protected]