Trust & Security
One page, every signal a B2B procurement team needs before signing.
Updated continuously. Verified by independent endpoints (Sentry, security.txt,
published sub-processor list).
At-a-glance
Observability & Uptime Active
Production error and session monitoring via Sentry. Browser SDK (Loader Script v10.x) on every page across 7 sites; .NET SDK on both APIs. Replay + BrowserTracing enabled. Average crash-free session rate: >99.9% (rolling 30-day).
EU AI Act Aware
Decision-support tooling published at slavin.ai/EU-AI-Act-Checklist. We operate as a downstream provider for most engagements; classification and obligations communicated per engagement. Internal risk taxonomy mirrors the Act's tier-by-purpose model.
GDPR Compliant
Data Processing Agreement on request. EU sub-processor list below. We minimize personal data collected through forms (name, email, free-text inquiry only). Lead form data retained 24 months unless contracted otherwise. No third-party advertising trackers on lead-capture pages.
152-FZ (Russian Federation) Aware
For engagements involving Russian personal data, slatech.ru handles processing under 152-FZ obligations. Data residency in the Russian Federation; consent flows tested 2026-06. Compliance reference: slavin.ai/152-FZ-Compliance-Checklist.
Security Headers Active
HSTS (1y + preload), X-Content-Type-Options nosniff, X-Frame-Options SAMEORIGIN, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy with camera / mic / geolocation / FLoC disabled. X-Powered-By and X-AspNet-Version stripped network-wide.
Content Security Policy Report-Only
CSP currently in Report-Only mode network-wide. Enforce-mode rollout planned per-site after monitoring period. Allowlist is published in the CSP header itself for transparency.
Cookies & Sessions Hardened
ASP.NET session cookies are Secure; HttpOnly; SameSite=Lax network-wide. No third-party advertising cookies on commercial pages. Analytics: Google Analytics + Yandex Metrica, both with IP anonymization where supported.
Sub-Processors
Below are third-party services that may process customer or visitor data on our behalf.
| Sub-Processor | Purpose | Data Region | DPA |
|---|
| Cloudflare, Inc. | CDN + DDoS protection + DNS | Global (edge), US (control) | Standard EU DPA |
| Amazon Web Services (SES) | Transactional email delivery | EU (eu-central-1) | AWS DPA |
| Functional Software, Inc. (Sentry) | Error + performance monitoring | US | Sentry DPA |
| Google LLC (Analytics) | Site analytics | EU + US | Google DPA |
| Yandex N.V. (Metrica) | Site analytics (RU sites) | Russia / EU | Yandex DPA |
| Microsoft Corp. (Azure SQL) | Database hosting (selected workloads) | EU (north-europe) | Microsoft DPA |
List last reviewed: 2026-06-20. Material changes notified per DPA terms.
Data Residency
Default residency is European Union (Germany / Ireland) for slavin.pro / slatech.co.il / slavin.ai / slavin.org.il / slavin.education / adults.dev. Russian Federation (Moscow region) for slatech.ru per 152-FZ requirements. Per-engagement residency overrides documented in the engagement contract.
Reporting a Vulnerability
If you have discovered a security issue:
- Email
[email protected] with details. Encryption optional but supported on request.
- You will get acknowledgment within 1 business day.
- Initial triage within 5 business days.
- We will keep you informed on remediation timing; CVE assignment where applicable.
- With your consent, attribution in our Hall of Fame once fixed.
Please do not disclose the issue publicly until we have confirmed remediation. We will not pursue legal action against good-faith research conducted within the scope of our security.txt policy.
Independent Endpoints
Machine-readable signals you can verify without taking our word for it: