Skip to content

Security & Compliance

What the gateway does with your data, which EU rules apply, and where each claim is backed up. Everything on this page is either enforced in the running service or available as a document you can request.

The short version

ClaimHow it works
No prompt storagePrompts and outputs are processed in memory and discarded when the request completes. Usage logs hold token counts, model, latency and cost, never content. Async results wait in memory for at most 24 hours until you fetch them.
EU-only routingAn API key can carry a provider allowlist. A key restricted to local models and Vertex AI (europe-west1) cannot reach a US or Chinese provider: the server rejects the request with 403 PROVIDER_NOT_ALLOWED.
AI Act transparencyVoice agents disclose that they are AI by default, and generated images and audio carry a machine-readable AI marking (IPTC trainedAlgorithmicMedia).
GDPR processor termsArticle 28 DPA with a published sub-processor list, transfer impact assessments and 48-hour breach notification. Per-key data export and erasure on request.
ISO 27001-alignedDocumented ISMS: risk register, statement of applicability across all 93 Annex A controls, security whitepaper.
No lock-inUsage records and custom models trained for you export in machine-readable formats. No switching or egress fees (EU Data Act).

Data handling & retention

The gateway is operated by CanaryCoders S.L. from Spain. What little it keeps, it keeps briefly:

DataRetention
Prompt and completion contentNot stored (in-memory only, max 24h for unfetched async results)
Usage logs (metadata only)90 days
Billing aggregatesDaily 2 years, monthly 6 years (statutory accounting)
Session metadata (voice/realtime)90 days after completion
Uploaded videos1 hour
Vision training datasetsDeleted after training, 24-hour orphan sweep

Third-country transfers are documented per provider in the Data Residency section, including the ones that make residency-sensitive routing a bad idea. The periods above run as scheduled sweeps in the service itself.

EU AI Act (Article 50)

The transparency obligations of Regulation (EU) 2024/1689 apply from 2 August 2026. The gateway ships both provider-side duties:

  • Disclosure: conversational voice agents and realtime voice sessions tell participants they are talking to an AI at the start of the session, unless you explicitly take that duty over (aiDisclosure: false).
  • Content marking: generated PNG/JPEG images and MP3/WAV audio are marked machine-readable as AI-generated. Markings applied upstream (C2PA, SynthID) pass through untouched because the gateway never re-encodes output media.

As a deployer you keep two duties of your own: informing the people you expose to these systems, and labelling published synthetic content where Article 50(4) requires it. Keeping the embedded markings intact when you store or republish output covers most of the second one.

Documents available on request

  • Security whitepaper (architecture, controls, incident response, business continuity)
  • GDPR Article 28 DPA with sub-processor list and transfer impact assessments
  • Statement of applicability (ISO 27001:2022 Annex A) and retention policy

Contact kai@canarycoders.es. Customer audits are supported on a documentation-first basis under the DPA.