built to be inspected, not just trusted.
MakeMode is open source and runs on European infrastructure. So you don't have to take our word for how it's secured — the code is public to read and fork, and the data path stays in the EU by design. This page sets out what's in place today, and what's on the roadmap, in the terms a security review actually asks about.
how we protect data.
These are the controls written into our processor annexes (the SURF Model DPA, Annex 4). They map to the questions a vendor security questionnaire asks, and they apply to identity, prompts, generated output and published projects alike.
encryption in transit and at rest
All traffic is carried over TLS. Stored data — published projects, the managed Postgres database — is encrypted at rest by Scaleway-managed keys in fr-par.
secrets in scaleway secret manager
Every credential (Scaleway API keys, OAuth secrets) lives in Scaleway's managed Secret Manager in France: central, encrypted, versioned, rotatable, IAM-controlled and audited. No secrets in code or tracked files.
least-privilege iam
Access uses IAM-scoped keys granted the minimum each component needs — not shared, blanket credentials. Rotation is a new version in Secret Manager plus a redeploy.
access control
Users authenticate before any session. Identity today is institution-managed (OAuth, moving to SURFconext / eduGAIN SSO), so account control stays with the institution.
data minimisation
Only the context a request needs is sent to the model. Users are instructed — in the AI-transparency notice and terms — not to enter personal or special-category data; none is processed by design.
no hidden telemetry
Local cost / token / carbon telemetry is designed to carry no prompt content. Because the client is open source, you can verify what leaves the device rather than trust a claim.
On the inference hop, an important honesty note: prompts and code are processed by the EU-hosted model to answer a request and are not retained by MakeMode beyond returning the response. The provider-side no-retention / no-training / no-EU-exit guarantee is being pinned contractually in the Scaleway Generative APIs terms — until that is signed we describe it as design intent, not a guarantee. See sovereignty & models for the full picture.
open source is a security property, not a slogan.
Closed SaaS asks you to trust a black box. MakeMode is open source, which turns three claims into things you can check yourself: the code is auditable — anyone, including your own security team, can read how authentication, storage and the model calls work; there is no hidden telemetry, because you can see exactly what the client sends; and you can self-host or fork, so the software keeps working on your terms even if we don't. For an institution that has to answer for where its students' work goes, that is a stronger guarantee than any badge.
infrastructure: one region, in europe.
Processing runs on Scaleway in France (the fr-par region) — inference, object storage for published projects, the managed Postgres database, Secret Manager and transactional email. There is no US vendor in the data path and no intended transfer outside the EEA. A single EU region also means a smaller, simpler surface to secure, audit and reason about — fewer places data can be, fewer jurisdictions to assess.
Payments (paid tiers only) are handled by Mollie, a PSD2-licensed processor in the Netherlands — no card data is held by MakeMode. Full residency and sub-processor detail is on sovereignty & models.
when something goes wrong, and how to tell us.
Our incident-response process is aligned to the GDPR timelines (Articles 33 and 34): on becoming aware of a personal-data breach we notify the institution as controller without undue delay, with the information it needs to meet its own 72-hour obligation to the supervisory authority.
We welcome responsible disclosure. If you believe you've found a security issue, email hello@makemode.eu with enough detail to reproduce it. Please give us reasonable time to fix it before going public. Because the code is open, you can also point us straight at the line.
standards and certifications, stated plainly.
We would rather be precise than impressive. Here is exactly what is in place versus what is on the roadmap — no badges we don't hold.
iso 27001 — aligned, not yet certified
Our controls and policies are written to align with the ISO 27001 control set. Formal certification is on the roadmap as we scale; we don't claim to hold it today.
soc 2 and others — not held
We don't hold SOC 2 (a US-oriented framework) or other certifications. For an EU-sovereignty posture we prioritise the ISO 27001 / 27701 path, pursuing SOC 2 only if a specific customer requires it.
eu ai act — limited-risk
MakeMode is a prototype-building assistant, classified limited-risk (not high-risk). An AI-transparency notice is in place, and the tool is explicitly not used for student assessment or grading.
We map readily to the Dutch higher-education baselines a buyer will check — the SURF vendor security assessment and the Normenkader Informatiebeveiliging HO — and we accessibility-build to EN 301 549 / WCAG 2.1 AA. Full detail lives in the trust overview and the compliance pack we can share under review.
a review should be able to verify, not just believe.
If you're running a DPIA, a procurement check or a vendor security assessment, start with the trust overview and the related pages below — then write to us for the compliance pack and a walk-through of the code.