Security & Trust
Transparency about how we handle your data, where it's stored, and how we keep it secure.
Infrastructure & Hosting
Pencilroads is hosted on Hetzner Cloud infrastructure in Germany. All services are provided by established vendors with strong security track records and cibersecurity certifications.
| Service | Provider | Region | Purpose |
|---|---|---|---|
| Web Server | Hetzner Cloud Server | Germany | Runs the Pencilroads web server |
| Database | Hetzner Cloud Server | Germany | Stores user accounts, metadata, commits, workflows, comments |
| Workflow Servers | Hetzner Cloud Server | Germany | Runs the workflow processes |
| Workflow Storage | Hetzner Block Storage Volumes | Germany | Stores workflow-produced data (e.g. simulation results) |
| File Storage | Hetzner File Storage | Germany | Stores uploaded files and timeseries |
| AI Processing | Anthropic | US | Analyzes user requests with the project's context |
We are actively working on self-hosting our own AI model so that all customer data is processed entirely within the EU, with no dependency on third-party providers.
Network
Pencilroads workflows runs in a private network environment. Our infrastructure is designed to minimize attack surface and isolate critical components from external access and the actual running code provided by users.
Workflow Servers: they run in a private network, each server is hardened to enforce least privilege access.
Workflow Storage: each workflow has a hard drive assigned, when workflow's results are obtained and workflow is closed, the hard drive is wiped out and the results persist in our Object Storage.
Job containers: each job in a workflow runs in restricted mode (no privilege access) and with strict resource limits. They can only access the hard drive assigned to their workflow.
AI & Data Processing
We use Anthropic's Claude model to power our AI features. Here's how your data is handled:
AI model: Anthropic Claude
Anthropic does not use API customer data to train their models. Commercial API usage is excluded from training data.
Data sent to the API is retained for up to 30 days for trust & safety purposes, then deleted
Data Security
We implement industry-standard security measures to protect your data:
All data encrypted in transit (TLS 1.2+)
All data encrypted at rest (AES-256)
Automated daily backups with point-in-time recovery
Compliance
Pencilroads is operated by a company subject to EU data protection laws.
GDPR compliant — we process data lawfully and transparently
Data Processing Agreements (DPA) available on request
Full data deletion available upon request
Contact Us
Questions about our security practices? Reach out to us and we'll be happy to help.
security@pencilroads.comLast updated: February 2026