> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opper.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Built in Stockholm, hosted in the EU. One sub-processor for every model. No training on your data, and only metadata stored by default.

Opper is built for teams that need real compliance.

Security covers both planes. The [AI Gateway](/overview/gateway) decides where calls can go at request time, and the platform is how everything underneath is hosted and protected. This page covers both.

## EU-hosted by default

The platform runs only in AWS Stockholm. Traces, routing tables, scoring history, and metadata stay in the EU. The one thing that leaves Opper's footprint is the model call itself, and you can constrain even that at the gateway.

Use [Comply](/control-plane/comply) rules to:

* Restrict calls to EU-only providers (Mistral, Azure EU, and others)
* Pin specific regions or countries that calls can route to
* Enforce Zero Data Retention by limiting calls to ZDR-eligible providers

The gateway rejects anything that violates these rules before it leaves the platform.

## We don't train on your data

Opper never uses customer data to train models, and never shares it with providers for training.

## Your prompts and responses aren't stored by default

By default, Opper records only metadata for each call: the model, token counts, cost, and latency. Your prompts and responses are never written to disk. That's how every project starts, with no configuration.

To keep full traces (the request, the response, and every step) for debugging and scoring, add a [Comply](/control-plane/comply) retention rule. Content is then kept for the window you choose, up to 30 days, and deleted automatically after.

For the strictest workloads, a Zero Data Retention rule also restricts calls to providers that don't retain your data, so nothing persists with the model provider either.

## One sub-processor for every model

Most AI vendors require a separate DPA amendment for every model provider you turn on. Opper doesn't. Opper is your one AI sub-processor, so you can add or remove models without rewriting contracts.

### Platform sub-processors

| Sub-processor       | Purpose                                     | Location         |
| ------------------- | ------------------------------------------- | ---------------- |
| Amazon Web Services | Platform data, indexes, traces, generations | Sweden           |
| Auth0               | Authentication                              | Germany, Ireland |
| Datadog             | Error logging                               | Germany          |
| Sentry              | Error logging                               | Germany          |
| Google Workspace    | Support correspondence                      | Europe           |
| Modal / Docling     | Document parsing                            | Europe           |
| Stripe              | Payment processing                          | United States    |

### Model providers (you pick which to enable)

| Provider                              | Location         |
| ------------------------------------- | ---------------- |
| Mistral                               | France 🇪🇺      |
| Microsoft Azure                       | EU 🇪🇺          |
| Google Vertex (EU)                    | Netherlands 🇪🇺 |
| Anthropic, OpenAI, Google Gemini, xAI | United States    |
| Groq, Cerebras, Fireworks             | United States    |

Enable only EU providers via Comply and no customer content ever leaves the EU.

## Encryption

* At rest: AWS RDS with KMS-managed keys. Uploaded files use S3 SSE-S3.
* In transit: TLS on every public endpoint.
* Backups: encrypted in AWS Backup. Daily snapshots kept 5 weeks, weekly snapshots 14 months. Only Opper engineers can restore.

## Data isolation

Each organization's data is isolated at the application layer. Uploaded files live in a private S3 bucket with objects segregated per organization. Service-to-service traffic is restricted to a private AWS VPC.

## Deletion

* Delete a project → all associated traces and events are removed.
* Set retention to 0 via [Comply](/control-plane/comply) → traces are deleted as they complete.

## DPA and contact

Standard DPA and Standard Contractual Clauses are available on request. Contact [hello@opper.ai](mailto:hello@opper.ai).

* Full DPA: [opper.ai/data-processing-agreement](https://opper.ai/data-processing-agreement)
* Sub-processors list: [opper.ai/sub-processors](https://opper.ai/sub-processors)

## Controls that put this in your code

<CardGroup cols={2}>
  <Card title="Comply" icon="scale-balanced" href="/control-plane/comply">
    Restrict providers, regions, retention, and budget at the gateway.
  </Card>

  <Card title="Guard" icon="shield" href="/control-plane/guard">
    Block or redact sensitive content before the model sees it.
  </Card>
</CardGroup>

## Models

See which models you can reach, and which ones are EU-hosted.

<CardGroup cols={2}>
  <Card title="Models" icon="brain" href="https://opper.ai/models">
    The full catalog, with EU-hosted models marked.
  </Card>

  <Card title="Integrations" icon="plug" href="/overview/integrations">
    Use Opper as the provider for your editor, agent, or CLI.
  </Card>
</CardGroup>
