Trust and security

What procurement asks before signing.

Company facts, data-protection posture, sub-processor list, EU AI Act position, and the honest single-operator continuity story. If your security or procurement team needs more, the contact at the bottom of the page is real.


01

Company facts

Legal name
Eltrus Limited
Country of registration
Ireland
CRO company number
795239 (verifiable at core.cro.ie)
Founder and director
Eoghan Collins
Operating scope
EU, UK, and US
Contracting entity
Eltrus Limited (Irish Ltd) for all MSAs, SOWs, and DPAs

02

Data protection

Every engagement that touches your customer data runs under a GDPR Article 28 Data Processing Agreement. The DPA is bundled with the MSA at signature. If you need to see it before signing, request it via the contact at the bottom of this page; a redacted version is sent by reply.

For data protection inquiries, contact our privacy officer Eoghan Collins at [email protected].

Encryption and PII handling

Data is encrypted in transit (TLS) on every hop, and operational storage used inside the AI workflow is encrypted at rest. Helpdesk credentials live in a per-client zero-knowledge vault, never in plaintext config. Tickets detected as containing payment instruments, health, identity, or other special-category data are escalated to a human rather than processed by the AI, and are excluded from any tuning sample. Every AI action inside the helpdesk is logged in the helpdesk's own audit trail, reviewable and reversible by the Client.

Human approval and the off-switch

The agent can run in draft-only mode, or behind a confidence threshold, until the Client trusts it. Anything materially influencing a refund, cancellation, or subscription change routes to a human above a threshold the Client owns. The Client can pause or disable the agent at any time from inside their own helpdesk, without raising a request with Eltrus.

What the DPA covers

  • Article 28 processor obligations: documented instructions, confidentiality, Article 32 security measures, breach notification, deletion/return on termination
  • 24-hour initial breach notification with phased updates as facts develop
  • 30-day deletion or return of Personal Data on termination, with rolling-30 backup expiry
  • Sub-processor change notice: 30 days written, with objection mechanics and a 60-day resolution window
  • Right to audit via security-questionnaire response within 30 days, escalating to on-site audit only after a breach

What is out of scope

  • Customer payment data. We do not handle your customers' payment instruments. Your Stripe stays your Stripe.
  • Special categories of data under Article 9. The AI pipeline is configured to escalate any ticket detected as containing health, identity, or other special-category data to a human agent.
  • Data of children under 16 (or higher local age of digital consent). Escalated and excluded from any tuning samples.

03 · Sub-processors (Article 28)

Vendors that process Client end-customer Personal Data on the Client's behalf.

Adding to or replacing this list triggers 30 days written notice via the email designated in your MSA. Clients may object on reasonable data-protection grounds.

Vendor
Service
Location
Transfer mechanism
Anthropic, PBC
Claude API: AI response generation, classification, prompt tuning
USA (EU endpoints where available)
EU-US Data Privacy Framework (DPF-certified) + SCC Module 3
OpenAI, OpCo LLC
OpenAI API: secondary verification during audit production only; never in the live agent path and never on customer conversations
USA
EU-US Data Privacy Framework (DPF-certified) + SCC Module 3
Google LLC
Gemini image API: audit-deliverable image generation only; no customer or ticket data
USA (EU endpoints where available)
EU-US Data Privacy Framework (DPF-certified) + SCC Module 3
Cloudflare, Inc.
Edge routing of inference calls, encrypted operational storage when used within the AI workflow
USA + EU edge POPs
DPF-certified + SCC Module 3
1Password (AgileBits Inc.)
Encrypted credential vault for Client helpdesk credentials (zero-knowledge architecture)
Canada
Canada adequacy decision

The Client's chosen helpdesk platform (Gorgias, Intercom, Zendesk, Help Scout, Freshdesk) is not an Eltrus sub-processor. The Client contracts with it directly, and the platform's own data-processing terms apply between the Client and that vendor.

Operations vendors (not Article 28 sub-processors)

The following vendors process data Eltrus controls in its own right (billing, sales operations, internal documentation, signatory information). They do not process Client end-customer Personal Data on the Client's behalf. Listed for transparency:

  • Stripe Payments Europe Ltd (Ireland) - engagement fee payment processing
  • Wise Payments Ltd / Wise USA Inc. (UK / USA) - multi-currency banking
  • DocuSign, Inc. (USA, DPF-certified) - electronic signature for MSAs and SOWs
  • Loom, Inc. (USA, DPF-certified) - audit deliverable and walkthrough recording. Records may include Client personnel data; recording consent confirmed at kickoff.
  • Apollo.io, Inc. (USA, DPF-certified) - public B2B contact data only
  • Cal.com, Inc. (USA + EU edge, DPF-certified) - calendar booking
  • Notion Labs, Inc. (USA, DPF-certified) - internal documentation. No end-customer Personal Data is stored in Notion.

04

Access scope

Every engagement runs through a Scoped Access Checklist. Access escalates in five stages. We never start with write access.

  1. Stage 1: Read-only. Helpdesk seat with read-only role. Used for baseline measurement only. No write access. No data export.
  2. Stage 2: Authoring. KB Editor + Macro Editor role granted only after baseline KPI report is delivered and the Client approves the implementation plan.
  3. Stage 3: Live operation. Agent + KB Editor + Macro Editor granted only after the first flow goes live and the Client confirms it is operating as expected.
  4. Stage 4: Multi-channel (Tier 2). Social DM connector, live chat handoff, refund-to-exchange tooling. Each integration gets explicit Client written sign-off before activation.
  5. Stage 5: Custom workflows (Tier 3). Slack ops channel, scoped Shopify Admin role, custom API access. Per-workflow scope agreement.

Credentials live in 1Password Business inside a vault dedicated to each Client. They are revoked at termination within two business days, with confirmation email sent within five.


05

EU AI Act position

Eltrus is monitoring the EU AI Act implementation timeline. The Digital Omnibus simplification package, provisionally agreed in trilogue on 7 May 2026 (pending formal adoption), defers Annex III high-risk AI obligations from 2 August 2026 to 2 December 2027 and Annex I (product-embedded) HRAIS to 2 August 2028. Article 4 (AI literacy) and Article 50 (transparency) enforce on 2 August 2026 regardless. Both apply to Eltrus's service.

Provider and Deployer roles

Eltrus acts as a Deployer of third-party general-purpose AI models (Anthropic Claude, OpenAI GPT) when running AI-assisted customer support inside a Client's helpdesk. The Client may be a co-Deployer depending on how the workflow is configured. The MSA and AI Governance Schedule allocate Provider, Deployer, and downstream-Deployer obligations explicitly per engagement.

Article 50 transparency (effective 2 Aug 2026)

Where the AI is responding to a customer in real time, Client end-customers are informed they are interacting with an AI system, in line with Article 50(1) GDPR-style obligations. The exact transparency language is set in the AI Governance Schedule for each engagement.

Article 22 GDPR automated decision-making

Where the AI materially influences a refund, cancellation, or subscription decision (typically Tier 2 revenue-recovery flows), the workflow is configured with a confidence threshold above which the decision routes to a human agent. The Client owns the policy that defines the threshold.

Article 4 AI literacy (effective 2 Aug 2026)

Eltrus maintains documented AI literacy for personnel deploying or operating AI on Client systems. On request, we provide a short literacy summary for the Client's own personnel using the deployed system.

Model training

Customer data is not used to train any foundation AI model. Anthropic and OpenAI API modes are configured to opt out of training where the providers offer that setting. Zero Data Retention (ZDR) is requested where the Client's risk profile warrants it.


06

Single-operator continuity

Eltrus is a one-operator business. The founder is the operator. This is the right model for a focused services engagement, but procurement teams reasonably ask what happens if the operator is unavailable.

Short-term unavailability (under 30 days)

Weekly KPI reports continue automatically (they're scripted, not manual). Slack-channel critical incidents are routed to a documented contractor who has the access to handle them. The Client primary contact is notified within one business day of the start of any planned unavailability.

Extended unavailability (30+ days)

Each MSA includes a wind-down clause. If Eltrus cannot deliver for 30 consecutive days for reasons of force majeure or operator unavailability, the Client may terminate for cause with a pro-rata refund of any prepaid retainer fees, and Eltrus delivers a full handoff package (KB articles in markdown, macro documentation, escalation rules, credential rotation instructions) within 10 business days.

What you own at exit

All KB articles, macros, prompt content, and helpdesk configuration are Client-owned property under the MSA. They live inside the Client's helpdesk and remain there if the engagement ends. There is no Eltrus platform to migrate off and no separately hosted Eltrus infrastructure that becomes inaccessible.


07

Drafting standards

The MSA, DPA, and AI Governance Schedule were drafted against the following frameworks. Solicitor sign-off targeted for Q2 2026; firm name will appear here once complete.

  • GDPR. Article 28 (processor obligations); Standard Contractual Clauses Module 3 (controller-to-processor-to-processor, EU Commission published 2021/914); UK Addendum (ICO published); EDPB Guidelines 01/2025 on Pseudonymisation; EDPB Recommendations 01/2020 on Transfer Impact Assessments.
  • EU AI Act. Article 4 (AI literacy), Article 22 (automated decisions), Article 50 (transparency, in force from 2 August 2026), incorporating the Digital Omnibus simplification package (Omnibus VII, provisional trilogue agreement 7 May 2026) which defers Annex III HRAIS obligations to 2 December 2027.
  • Irish contract law. Sale of Goods and Supply of Services Act 1980 s.40 (implied terms); SI 580/2012 (statutory late-payment interest); Sheehan v Breccia [2018] (genuine pre-estimate of loss test for liquidated damages).
  • Consumer and electronic communications. Consumer Rights Act 2022 (Ireland); Unfair Commercial Practices Directive; SI 336/2011 (ePrivacy Regulations); applied to Tier 2 revenue-recovery flows in Schedule G.

The templates passed three rounds of adversarial review and a Codex-based contradiction scan. They are not a substitute for counsel; they are the substrate counsel will review. We will name the reviewing firm here once that engagement closes.


08

What we have shipped, visible on this page

The chat agent in the bottom-right corner of this site runs on the same Cloudflare Worker template we would deploy in your helpdesk. Same Durable-Object-per-conversation pattern, same Anthropic-EU-region tool loop, same hard caps on tool calls and wall-clock, same idempotent retry semantics. The only differences are the tools (this one books an audit and escalates to the founder; yours would look up orders, check return eligibility, and route refunds) and the knowledge base (this one is the contents of this website; yours would be your KB articles and macros).

The Worker template is open source. Both repos are inspectable: the generic template at github.com/eltrus/cx-worker-template, and the Eltrus-specific tuning that powers this widget at github.com/eltrus/cx-worker-eltrus-demo. You can deploy the same code in your own Cloudflare account if you want to. The retainer is the discipline of someone whose only job is to keep it tuned; the code itself is not the moat.


09

What we do not yet have

The honest list. These items are on the roadmap, not in place yet:

  • SOC 2 / ISO 27001. Not pursuing yet. These certifications cost €30k-€60k+ and a year of process; they are not justified before revenue. If your procurement requires them, we are not the right fit today.
  • Bound insurance policies. Tech E&O and Cyber Liability policies are quoted but not yet bound. Target limits are €2,000,000 per claim each. Insurance is not required for the Tier 0 audit deliverable (cap-of-fees risk is the audit fee itself). Insurance is bound before the first Tier 1 setup, before any AI is deployed in production on a Client helpdesk. Certificate available on request once bound.
  • Public client logos and case studies. We do not have paying clients yet; outreach to the first cohort is underway. Logos and case studies will appear on this site only with the named Client's written consent.
  • Penetration test summary. Scheduled for the first quarter we hit three paying retainers concurrently. Until then, the relevant security artefacts are the access scope, the DPA, and the sub-processor list.

Stating gaps publicly is more useful than pretending they do not exist. If you need any of the above to sign, ask via the contact below; we can tell you what is realistic on what timeline.


10

Roadmap

What we are committing to, and when. Dates are targets, revised publicly if they slip.

  • Solicitor sign-off on the legal pack (MSA, DPA, AI Governance Schedule). Target Q2 2026.
  • Cyber Essentials self-assessment. Target Q3 2026.
  • Tech E&O and Cyber Liability bound. Target Q3 2026, monthly billing, certificate available on request.
  • First reference call available. At three completed Tier 0 audits.
  • ISO 27001 path opens. At three concurrent retainers.

Procurement or security questions

Email the founder directly. Replies usually inside one business day, often faster.