Data security and privacy
This page describes where your data is hosted, how it’s protected, and who can access it. It’s intended for your IT, legal, and compliance teams. For a specific question or to obtain our detailed documentation, write to security@showy.so.
Hosting and location
Showy is hosted on Amazon Web Services (AWS), Paris region (eu-west-3), across all environments — production and staging alike. Your data stays in Europe. Backups are replicated to the AWS data center in Frankfurt, Germany.
AWS operates under ISO 27017, ISO 27018, ISO 27701, HIPAA, and PCI DSS certifications, within the GDPR framework.
Encryption
Data in transit is encrypted via TLS, with SSL certificates managed by Cloudflare. Files at rest are stored on encrypted Amazon S3, accessible only through the API. The database is managed, with security updates applied automatically.
Identity and access management
Authentication is delegated to Kinde, a dedicated identity provider (IdP). Showy stores no passwords or access tokens. Kinde operates under ISO 27001, SOC 2, GDPR, HIPAA, CAIQ v4, MVSP, and PCI DSS certifications.
Access is role-based: each user only sees what their role allows. SSO is available — Showy integrates with most corporate directories and can automatically assign a user to a permission group based on data passed by your SSO, such as country or department.
Network security
Cloudflare provides the web application firewall, DDoS protection, SSL certificates, and traffic acceleration.
Backups and continuity
The database is backed up automatically every day. Backups are replicated to a second data center, in Frankfurt.
Backups: daily and automatic, retained for 7 days.
AI and your data
No data you enter into Showy is used to train third-party AI models. AI processing is handled by Mistral, a French provider whose infrastructure is operated in Europe.
The AI reads your documents, structures the information, and proposes a result with a confidence score. You approve before anything is published — the AI never decides for you.
Retention and reversibility
Your data belongs to you. You can export it at any time. On termination, it’s retained for 30 days and then permanently deleted.
Subprocessors
| Subprocessor | Role | Data location |
|---|---|---|
| AWS | Hosting, storage, database | France (Paris) and Germany (Frankfurt) |
| Mistral | AI processing | France |
| Kinde | Identity management | European Union |
Your rights and contact
You have the right to access, rectify, erase, port, and object to the processing of your data. To exercise these rights, contact security@showy.so.