security

built to be inspected, not just trusted.

MakeMode is open source and runs on European infrastructure. So you don't have to take our word for how it's secured — the code is public to read and fork, and the data path stays in the EU by design. This page sets out what's in place today, and what's on the roadmap, in the terms a security review actually asks about.

processing on scaleway, france (fr-par) · no us vendor in the data path
technical & organisational measures

how we protect data.

These are the controls written into our processor annexes (the SURF Model DPA, Annex 4). They map to the questions a vendor security questionnaire asks, and they apply to identity, prompts, generated output and published projects alike.

encryption in transit and at rest

All traffic is carried over TLS. Stored data — published projects, the managed Postgres database — is encrypted at rest by Scaleway-managed keys in fr-par.

secrets in scaleway secret manager

Every credential (Scaleway API keys, OAuth secrets) lives in Scaleway's managed Secret Manager in France: central, encrypted, versioned, rotatable, IAM-controlled and audited. No secrets in code or tracked files.

least-privilege iam

Access uses IAM-scoped keys granted the minimum each component needs — not shared, blanket credentials. Rotation is a new version in Secret Manager plus a redeploy.

access control

Users authenticate before any session. Identity today is institution-managed (OAuth, moving to SURFconext / eduGAIN SSO), so account control stays with the institution.

data minimisation

Only the context a request needs is sent to the model. Users are instructed — in the AI-transparency notice and terms — not to enter personal or special-category data; none is processed by design.

no hidden telemetry

Local cost / token / carbon telemetry is designed to carry no prompt content. Because the client is open source, you can verify what leaves the device rather than trust a claim.

On the inference hop, an important honesty note: prompts and code are processed by the EU-hosted model to answer a request and are not retained by MakeMode beyond returning the response. The provider-side no-retention / no-training / no-EU-exit guarantee is being pinned contractually in the Scaleway Generative APIs terms — until that is signed we describe it as design intent, not a guarantee. See sovereignty & models for the full picture.

don't trust us — read the code

open source is a security property, not a slogan.

Closed SaaS asks you to trust a black box. MakeMode is open source, which turns three claims into things you can check yourself: the code is auditable — anyone, including your own security team, can read how authentication, storage and the model calls work; there is no hidden telemetry, because you can see exactly what the client sends; and you can self-host or fork, so the software keeps working on your terms even if we don't. For an institution that has to answer for where its students' work goes, that is a stronger guarantee than any badge.

eu-only by design

infrastructure: one region, in europe.

Processing runs on Scaleway in France (the fr-par region) — inference, object storage for published projects, the managed Postgres database, Secret Manager and transactional email. There is no US vendor in the data path and no intended transfer outside the EEA. A single EU region also means a smaller, simpler surface to secure, audit and reason about — fewer places data can be, fewer jurisdictions to assess.

scaleway fr-par (france) no transfer outside the eea single region = smaller attack & compliance surface

Payments (paid tiers only) are handled by Mollie, a PSD2-licensed processor in the Netherlands — no card data is held by MakeMode. Full residency and sub-processor detail is on sovereignty & models.

incident response & disclosure

when something goes wrong, and how to tell us.

breach notification
we tell the controller without undue delay.

Our incident-response process is aligned to the GDPR timelines (Articles 33 and 34): on becoming aware of a personal-data breach we notify the institution as controller without undue delay, with the information it needs to meet its own 72-hour obligation to the supervisory authority.

reporting a vulnerability
found something? we want to hear it.

We welcome responsible disclosure. If you believe you've found a security issue, email hello@makemode.eu with enough detail to reproduce it. Please give us reasonable time to fix it before going public. Because the code is open, you can also point us straight at the line.

honest status

standards and certifications, stated plainly.

We would rather be precise than impressive. Here is exactly what is in place versus what is on the roadmap — no badges we don't hold.

iso 27001 — aligned, not yet certified

Our controls and policies are written to align with the ISO 27001 control set. Formal certification is on the roadmap as we scale; we don't claim to hold it today.

soc 2 and others — not held

We don't hold SOC 2 (a US-oriented framework) or other certifications. For an EU-sovereignty posture we prioritise the ISO 27001 / 27701 path, pursuing SOC 2 only if a specific customer requires it.

eu ai act — limited-risk

MakeMode is a prototype-building assistant, classified limited-risk (not high-risk). An AI-transparency notice is in place, and the tool is explicitly not used for student assessment or grading.

We map readily to the Dutch higher-education baselines a buyer will check — the SURF vendor security assessment and the Normenkader Informatiebeveiliging HO — and we accessibility-build to EN 301 549 / WCAG 2.1 AA. Full detail lives in the trust overview and the compliance pack we can share under review.

a review should be able to verify, not just believe.

If you're running a DPIA, a procurement check or a vendor security assessment, start with the trust overview and the related pages below — then write to us for the compliance pack and a walk-through of the code.