Trust and compliance

Made to be reviewed, not just trusted.

One place for procurement, security, and legal: where data lives, who processes it, how EU law applies, and why a deterministic compiler is not an AI system.

Your repo stays local

Your copilot holds the repository. Only the bounded context a request needs crosses to Pauhu. The repository never leaves your tool.

EU processing

Composition runs in the European Union (Hetzner, Helsinki). The one processor outside the EU is the payment provider, disclosed in full in the DPA.

Not an AI system

A deterministic compiler does not learn from, profile, or make automated decisions about your developers. The imprint records that it is not an AI system under Regulation (EU) 2024/1689.

Scoped, rotatable access

Access is by an API key you control, sent as a Bearer header over TLS. Keep it confidential; we rotate it on request or on any suspected leak.

No third-party scripts

This site loads only from pauhu.dev. No analytics SaaS, no third-party trackers, no external embeds.

Auditable by design

The same request gives the same cited result, so a security review can reproduce and stand behind what the tool returns.

Sub-processors and transfers

Disclosed in full.

Composition happens in the EU. The only transfer to a third country is to the payment provider, under the EU Standard Contractual Clauses. The DPA carries the authoritative list.

Sub-processorPurposeLocation
Hetzner Online GmbHHosting and compositionHelsinki, Finland (EU)
Stripe, Inc.Payment processingUSA (SCCs / EU-US DPF)
Start free trial, 279 EUR/mo