Skip to content
Cuan
Security & GDPR

Money-grade security. Irish-law privacy.

Cuan holds owners' financial data, arrears histories and the agency's reputation. So we built it the way you'd want your bank built — EU-only, access control at the database, an immutable trail, and payments that never touch our balance sheet. Bring your accountant.

EU-only hosting & subprocessors

Database, email, SMS and AI providers are all EU-based. Personal data isn't transferred outside the EEA in normal operation.

GDPR processor model

Agencies (and OMCs) are controllers; Cuan is the processor, under a DPA signed at onboarding.

Elevated-sensitivity data

Arrears and vulnerable flags get stricter access controls and full audit logging.

RLS at the database

Row-level security mirrors the role-based permission model — access is enforced in the data layer, not just the UI.

MFA & SSO

SSO via Google/Microsoft, MFA enforced for any role with financial visibility; magic-link with rate-limiting for owners.

7-year immutable audit log

Actor, action, object, before/after, IP and timestamp — retained at least seven years and never editable.

Bannered support access

Any Cuan support impersonation is visibly bannered and logged, every time.

WCAG 2.2 AA

Accessibility built into every owner and director surface, because the member base spans every age.

The payment architecture

Cuan never holds your funds.

Direct-debit and card rails are contracted in the agency's or OMC's name and settle directly into the PSRA client account. Cuan meters volume for billing but is never in the flow of money. That keeps us outside e-money licensing — and means every euro is referenced, matched and reportable, strengthening your PSRA accountant's report rather than complicating it.

Reliability

A 99.9% availability target and a public status page. A failed direct-debit run is treated as a severity-one incident, with customer-communication templates ready to go — because a money product can't be casual about money.

The AI is approval-first

No AI output reaches an owner, director, contractor or solicitor without explicit human approval. Prompts and outputs are logged, PII is minimised, and every AI feature is toggleable per agency.

Due diligence

The questions your accountant will ask.

In the EU, end to end. Hosting and every subprocessor (database, email, SMS, AI) are EU-based, and the current subprocessor list is available to controllers with notice of any change.
The short version

Built like a bank, not a spreadsheet.

EU-hosted, GDPR processor model, row-level security, and a payment architecture where Cuan is never in the flow of funds. Money-grade by design.

EU-only

hosting and every subprocessor

7-yr

immutable audit log of every action

€0

client funds Cuan ever holds

99.9%

availability target, with a status page

Due diligence welcome

Bring your questions — and your accountant.

We'll walk through hosting, the DPA, the audit log and the funds-flow architecture in detail. Money-grade scrutiny is exactly what we built for.

Book the demoRead the DPA summary