Search pages, courses, and articles
We sell EU AI Act compliance training. We hold ourselves to the same standard the regulation holds you to. Your data stays in the EU, every certificate is independently verifiable, and our infrastructure is built on the same European-region cloud the rest of your stack already trusts.
Hosted in the EU
Frankfurt + Dublin
GDPR-aligned
Article 28 DPA on request
Public verifiability
Every certificate, every time
The platform runs on EU-region cloud infrastructure end-to-end. We do not replicate customer data outside the EU, and we never use US-only sub-processors for core data flows.
| Sub-processor | Role | Region | DPA |
|---|---|---|---|
| Vercel | Application hosting + CDN | EU (Frankfurt, Dublin) | View |
| Supabase | Postgres + Auth + Storage | EU (Frankfurt) | View |
| Stripe | Payments | EU + US (PCI-DSS Level 1) | View |
| Resend | Transactional email | EU + US | View |
| Vimeo | Course video delivery | EU + US | View |
| Cloudflare | DDoS protection + WAF | Global edge (EU PoPs preferred) | View |
| Sentry | Error tracking | EU | View |
| n8n | Workflow automation (transactional emails) | EU (self-hosted) | View |
If we add a new sub-processor we update this page first and notify customers via email. The list above is canonical — bookmark it for your audit pack.
Every certificate gets a unique AF-Lx-YYYY-NNNNNN identifier and an optional public verify URL at agenticfluxus.com/verify/[id]. A regulator, an auditor, or a customer can confirm authenticity in one click. We never charge to verify.
TLS 1.2+ on every public endpoint. AES-256 at rest on Supabase Postgres + storage. Customer access is gated by Supabase Auth; row-level security policies live on every table that holds tenant data.
In transit
HTTPS-only via Vercel edge. HSTS enforced. Cloudflare protections on the perimeter.
At rest
AES-256 across Postgres, file storage, and backups. Daily automated PITR-eligible snapshots.
Authentication
Supabase Auth (passwords + magic-link). OAuth via Google. Microsoft + SAML on the enterprise roadmap.
Authorisation
Postgres row-level security on every tenant-scoped table. Service-role calls audited in code review.
GDPR (live)
Article 28 Data Processing Agreement on request, sub-processor list above, breach-notification SLA below.
EU AI Act (Article 4 — live)
Our training programme is the deliverable that satisfies Article 4 AI literacy obligations for our customers' staff. Certificates are accepted as audit evidence.
SOC 2 Type II (planned, 2026)
Independent audit scheduled for Q3 2026. Following SOC 2 we'll target ISO 27001 in 2027.
Cyber Essentials Plus (planned, 2026)
UK-aligned baseline pursued in parallel with SOC 2 to support partner deals in the UK market.
We commit to notifying impacted customers of any confirmed personal-data breach within 72 hours of discovery, in line with GDPR Article 33. Notifications go to the org admin email of record and include scope, root cause, mitigation, and your rights.
We welcome reports from independent researchers. We will not pursue legal action against good-faith disclosure that follows the rules below.
Data Processing Agreement
Article 28 GDPR-aligned DPA, ready for signature.
Request →
Sub-processor list
The table above. Versioned with every change.
View on this page →
Privacy policy
Plain-English explanation of what we collect, why, and your rights.
Read →
Terms of service
Master service terms covering paid courses + Fluxus OS subscriptions.
Read →
We answer them all. Even the ones from your procurement team.
