Trust and security

What procurement asks before signing.

Company facts, data-protection posture, sub-processor list, EU AI Act position, and the honest single-operator continuity story. If your security or procurement team needs more, the contact at the bottom of the page is real.

01

Company facts

Legal name
Eltrus Limited
Country of registration
Ireland
CRO company number
795239 (verifiable at core.cro.ie)
Founder and director
Eoghan Collins
Operating scope
EU, UK, and US
Contracting entity
Eltrus Limited (Irish Ltd) for all MSAs, SOWs, and DPAs
02

Data protection

Every engagement that touches your customer data runs under a GDPR Article 28 Data Processing Agreement. The DPA is bundled with the MSA at signature. If you need to see it before signing, request it via the contact at the bottom of this page; a redacted version is sent by reply.

What the DPA covers

  • Article 28 processor obligations: documented instructions, confidentiality, Article 32 security measures, breach notification, deletion/return on termination
  • 24-hour initial breach notification with phased updates as facts develop
  • 30-day deletion or return of Personal Data on termination, with rolling-30 backup expiry
  • Sub-processor change notice: 30 days written, with objection mechanics and a 60-day resolution window
  • Right to audit via security-questionnaire response within 30 days, escalating to on-site audit only after a breach

What is out of scope

  • Customer payment data. We do not handle your customers' payment instruments. Your Stripe stays your Stripe.
  • Special categories of data under Article 9. The AI pipeline is configured to escalate any ticket detected as containing health, identity, or other special-category data to a human agent.
  • Data of children under 16 (or higher local age of digital consent). Escalated and excluded from any tuning samples.
03 · Sub-processors (Article 28)

Vendors that process Client end-customer Personal Data on the Client's behalf.

Adding to or replacing this list triggers 30 days written notice via the email designated in your MSA. Clients may object on reasonable data-protection grounds.

Vendor
Service
Location
Transfer mechanism
Anthropic, PBC
Claude API: AI response generation, classification, prompt tuning
USA (EU endpoints where available)
EU-US Data Privacy Framework (DPF-certified) + SCC Module 3
OpenAI, OpC LLC
GPT-5.5 API: secondary AI verification. GPT Image 2: audit-deliverable image generation
USA
EU-US Data Privacy Framework (DPF-certified) + SCC Module 3
Cloudflare, Inc.
Edge routing of inference calls, encrypted operational storage when used within the AI workflow
USA + EU edge POPs
DPF-certified + SCC Module 3
1Password (AgileBits Inc.)
Encrypted credential vault for Client helpdesk credentials (zero-knowledge architecture)
Canada
Canada adequacy decision

The Client's chosen helpdesk platform (Gorgias, Intercom, Zendesk, Help Scout, Freshdesk) is not an Eltrus sub-processor. The Client contracts with it directly, and the platform's own data-processing terms apply between the Client and that vendor.

Operations vendors (not Article 28 sub-processors)

The following vendors process data Eltrus controls in its own right (billing, sales operations, internal documentation, signatory information). They do not process Client end-customer Personal Data on the Client's behalf. Listed for transparency:

  • Stripe Payments Europe Ltd (Ireland) - engagement fee payment processing
  • Wise Payments Ltd / Wise USA Inc. (UK / USA) - multi-currency banking
  • DocuSign, Inc. (USA, DPF-certified) - electronic signature for MSAs and SOWs
  • Loom, Inc. (USA, DPF-certified) - audit deliverable and walkthrough recording. Records may include Client personnel data; recording consent confirmed at kickoff.
  • Apollo.io, Inc. (USA, DPF-certified) - public B2B contact data only
  • Cal.com, Inc. (USA + EU edge, DPF-certified) - calendar booking
  • Notion Labs, Inc. (USA, DPF-certified) - internal documentation. No end-customer Personal Data is stored in Notion.
04

Access scope

Every engagement runs through a Scoped Access Checklist. Access escalates in five stages. We never start with write access.

  1. Stage 1: Read-only. Helpdesk seat with read-only role. Used for baseline measurement only. No write access. No data export.
  2. Stage 2: Authoring. KB Editor + Macro Editor role granted only after baseline KPI report is delivered and the Client approves the implementation plan.
  3. Stage 3: Live operation. Agent + KB Editor + Macro Editor granted only after the first flow goes live and the Client confirms it is operating as expected.
  4. Stage 4: Multi-channel (Tier 2). Social DM connector, live chat handoff, refund-to-exchange tooling. Each integration gets explicit Client written sign-off before activation.
  5. Stage 5: Custom workflows (Tier 3). Slack ops channel, scoped Shopify Admin role, custom API access. Per-workflow scope agreement.

Credentials live in 1Password Business inside a vault dedicated to each Client. They are revoked at termination within two business days, with confirmation email sent within five.

05

EU AI Act position

Eltrus is monitoring the EU AI Act implementation timeline. The 7 May 2026 Digital Omnibus deferred Annex III high-risk AI obligations to 2 December 2027, but Article 4 (AI literacy) and Article 50 (transparency) enforce on 2 August 2026 regardless. Both apply to Eltrus's service.

Provider and Deployer roles

Eltrus acts as a Deployer of third-party general-purpose AI models (Anthropic Claude, OpenAI GPT) when running AI-assisted customer support inside a Client's helpdesk. The Client may be a co-Deployer depending on how the workflow is configured. The MSA and AI Governance Schedule allocate Provider, Deployer, and downstream-Deployer obligations explicitly per engagement.

Article 50 transparency (effective 2 Aug 2026)

Where the AI is responding to a customer in real time, Client end-customers are informed they are interacting with an AI system, in line with Article 50(1) GDPR-style obligations. The exact transparency language is set in the AI Governance Schedule for each engagement.

Article 22 GDPR automated decision-making

Where the AI materially influences a refund, cancellation, or subscription decision (typically Tier 2 revenue-recovery flows), the workflow is configured with a confidence threshold above which the decision routes to a human agent. The Client owns the policy that defines the threshold.

Article 4 AI literacy (effective 2 Aug 2026)

Eltrus maintains documented AI literacy for personnel deploying or operating AI on Client systems. On request, we provide a short literacy summary for the Client's own personnel using the deployed system.

Model training

Customer data is not used to train any foundation AI model. Anthropic and OpenAI API modes are configured to opt out of training where the providers offer that setting. Zero Data Retention (ZDR) is requested where the Client's risk profile warrants it.

06

Single-operator continuity

Eltrus is a one-operator business. The founder is the operator. This is the right model for a focused services engagement, but procurement teams reasonably ask what happens if the operator is unavailable.

Short-term unavailability (under 30 days)

Weekly KPI reports continue automatically (they're scripted, not manual). Slack-channel critical incidents are routed to a documented contractor who has the access to handle them. The Client primary contact is notified within one business day of the start of any planned unavailability.

Extended unavailability (30+ days)

Each MSA includes a wind-down clause. If Eltrus cannot deliver for 30 consecutive days for reasons of force majeure or operator unavailability, the Client may terminate for cause with a pro-rata refund of any prepaid retainer fees, and Eltrus delivers a full handoff package (KB articles in markdown, macro documentation, escalation rules, credential rotation instructions) within 10 business days.

What you own at exit

All KB articles, macros, prompt content, and helpdesk configuration are Client-owned property under the MSA. They live inside the Client's helpdesk and remain there if the engagement ends. There is no Eltrus platform to migrate off and no separately hosted Eltrus infrastructure that becomes inaccessible.

07

What we do not yet have

The honest list. These items are on the roadmap, not in place yet:

  • SOC 2 / ISO 27001. Not pursuing yet. These certifications cost €30k-€60k+ and a year of process; they are not justified before revenue. If your procurement requires them, we are not the right fit today.
  • Bound insurance policies. Tech E&O and Cyber Liability policies are quoted but not yet bound. Target limits are €2,000,000 per claim each, to be in place before the first paying engagement. We will not sign an MSA with a Client without insurance in place. Certificate available on request once bound.
  • Public client logos and case studies. The first paying clients are signing now. Logos and case studies will appear on this site only with the named Client's written consent.
  • Penetration test summary. Scheduled for the first quarter we hit three paying retainers concurrently. Until then, the relevant security artefacts are the access scope, the DPA, and the sub-processor list.

Stating gaps publicly is more useful than pretending they do not exist. If you need any of the above to sign, ask via the contact below; we can tell you what is realistic on what timeline.

Procurement or security questions

Email the founder directly. Replies usually inside one business day, often faster.

[email protected] Use the contact form