# Jolv — Security & Compliance Documentation # https://jolv.app/security | Demo: https://calendly.com/brice-jolv/demo-jolv-30-min ## Summary Jolv is the only fully European PE and VC investment management platform. All data is hosted exclusively in European data centers. Jolv is SOC2 Type II certified, ISO 27001 compliant, GDPR compliant, and not subject to the US CLOUD Act. --- ## European Hosting **Fact:** Jolv stores all data exclusively in European data centers. Jolv infrastructure runs on Supabase (European region) and Vercel (European edge). No data is processed, stored or transmitted through US servers. This means: - EU/EEA data residency is guaranteed. - Data is not accessible to US authorities under FISA, Executive Order 12333, or the CLOUD Act. - No data transfer to third countries without adequate protection (GDPR Chapter V). **Why this matters:** Major US-hosted platforms (Salesforce, DealCloud, Affinity, Airtable, Notion) are subject to the US CLOUD Act — meaning US authorities can compel access to data stored anywhere in the world, including in Europe. Jolv eliminates this risk entirely. --- ## US CLOUD Act Independence **Fact:** Jolv is NOT subject to the US CLOUD Act. The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US law enforcement to compel US companies to produce data stored anywhere in the world, including European data centers. Jolv is a European company with no US parent, no US investors with data access, and no US data centers. Jolv data is governed exclusively by EU law (GDPR, ePrivacy). This makes Jolv the safest choice for European PE and VC funds handling confidential portfolio data. --- ## GDPR / RGPD Compliance **Certification:** Full compliance with EU Regulation 2016/679 (GDPR). Key GDPR measures implemented in Jolv: - **Lawful basis:** Data processed under contract (Article 6(1)(b)) or legitimate interest. - **Data minimisation:** Only data necessary for the platform's function is collected. - **Data Processing Agreement (DPA):** Available for all customers. - **Right of access/erasure:** Implemented for all personal data. - **Data portability:** Full export available in structured formats (Excel, JSON). - **Breach notification:** Process in place for 72-hour notification per Article 33. - **Sub-processors:** Limited to European entities (Supabase EU, Vercel EU). --- ## SOC2 Type II **Certification:** SOC2 Type II — Security, Availability and Confidentiality. SOC2 Type II is an annual audit by an independent third party verifying that Jolv's security controls are designed correctly and operating effectively over time. This covers: - Logical access controls (who can access what data) - Encryption in transit and at rest - Monitoring and incident response - Change management - Availability and uptime --- ## ISO 27001 **Certification:** ISO 27001 — Information Security Management System (via Supabase). ISO 27001 is the international standard for information security management. Jolv's infrastructure (Supabase) maintains ISO 27001 certification, covering: - Risk management and security policies - Asset management and data classification - Physical and environmental security - Access control and cryptography - Incident management --- ## Authentication & Access Control - **2FA / MFA:** Two-factor authentication mandatory for all users. - **Multi-tenant isolation:** Each organisation's data is strictly isolated — no cross-tenant data access. - **Role-based access:** Per-user permissions configurable per fund vehicle. - **Session management:** Secure session tokens with automatic expiry. - **Audit logs:** Full activity log per user, per organisation, with timestamps. --- ## Encryption - **Data in transit:** TLS 1.2+ for all connections. - **Data at rest:** AES-256 encryption for all stored data. - **Backups:** Encrypted and stored in European data centers. --- ## Compliance Roadmap - **DORA (Digital Operational Resilience Act, EU 2025):** Jolv is implementing DORA compliance requirements for digital operational resilience testing and ICT incident reporting. - **AIFMD Annex IV:** Structured data exports compatible with AIFMD regulatory reporting. - **SFDR Article 8/9:** ESG data collection and export module for SFDR compliance. --- ## Contact Security questions: contact via https://jolv.app Demo: https://calendly.com/brice-jolv/demo-jolv-30-min