JuiceFactory was designed security-first from the infrastructure layer up. Every architectural decision — from datacenter placement to memory management — is driven by a single constraint: customer data must never be exposed, persisted, or accessible beyond the scope of a single inference request.
All inference runs on dedicated GPU servers in Stockholm, Sweden. No request is routed outside the EU/EEA. The datacenter operator is an EU-incorporated entity subject to Swedish and EU law.
JuiceFactory does not use US-headquartered cloud providers for inference, storage, or networking. This eliminates exposure to CLOUD Act and FISA 702 compelled-disclosure risks.
GPU resources are not shared with other tenants at the hardware level. Workloads run on isolated compute nodes with no shared memory spaces between customers.
Prompts and completions are processed entirely in memory. Nothing is written to disk, logged to a persistent store, or retained after the HTTP response completes. There is no abuse-monitoring log, no training pipeline, and no deferred batch queue that touches your data.
Request lifecycle
Only API-key hash, token count, and timestamp are logged for billing. The prompt and completion are never part of that record.
JuiceFactory acts as a data processor under GDPR. A signed Data Processing Agreement (DPA) is available to all customers and covers data handling obligations, sub-processor disclosure, breach notification timelines, and data subject rights support. The DPA is available for download at portal.juicefactory.ai.
SOC 2 Type II audit engagement is underway with an expected completion date in Q3 2026. The audit covers the Security and Confidentiality trust service criteria. Report will be available under NDA upon completion.
ISO 27001 certification is on the roadmap following SOC 2 completion. The information security management system (ISMS) is already aligned with ISO 27001 Annex A controls as part of the SOC 2 preparation.
Under GDPR Article 28(2), we disclose all sub-processors involved in handling customer data. JuiceFactory operates its own inference infrastructure. No third-party AI provider processes your prompts or completions.
| Sub-processor | Purpose | Location | Data access |
|---|---|---|---|
| JuiceFactory AB | AI inference, API gateway, billing | Stockholm, Sweden | In-memory only (zero retention) |
| Datacenter operator | Physical hosting, power, network | Stockholm, Sweden | No logical access to data |
No US-headquartered entity appears in the sub-processor chain. The full sub-processor list with legal entity names is included in the DPA.
If you discover a security vulnerability in JuiceFactory's infrastructure or API, please report it responsibly. We ask that you:
Report vulnerabilities to security@juicefactory.ai. We acknowledge receipt within 24 hours and aim to provide an initial assessment within 72 hours.
Sign up, review the DPA, inspect the sub-processor list, and test the zero-retention API. No credit card required.