Compliance evidence — not surveillance
Can you prove your remote team works where the contract says?
We don't track where your people are. limen generates auditable evidence that remote work was performed from a contractually permitted country — without ever storing exact location.
30-minute call · no product pitch · talk to the team building it.
a3f1c0b7e2…d49f · SHA-256
The risk
A contract that says “EU only” isn't proof of anything.
A Spanish company hires a remote developer under a contract requiring EU residence. The developer actually works from Thailand over a VPN, accessing GDPR-covered client data every day. Then a breach happens — or an audit arrives. The company can't demonstrate it had any control over where that data was accessed from. The fine, the lost client, the reputational hit land on the company. The contractor is already gone.
of global turnover — the maximum GDPR fine
makes IP-only location meaningless
controls most companies can prove today
We used a European example because that's where the pressure is sharpest today. The gap is identical anywhere a contract, client DPA, certification or regulator restricts where work happens.
The same gap, wherever location is restricted
How it works
Three independent signals. One compliance result.
On each biometric work check-in, limen resolves jurisdiction from multiple device signals and records only the outcome.
GPS
Device hardware location, with mock-location detection.
WiFi positioning
Nearby network BSSIDs resolved to a country — then discarded.
IP geolocation
ISP-level signal, never sufficient on its own.
Signal coherence yields one of three results — technical uncertainty is never treated as guilt:
Compliant
Sufficient evidence the work occurred from the approved jurisdiction.
Needs review
Insufficient or inconsistent evidence — flagged, never auto-punished.
Non-compliant
Strong evidence of a disallowed jurisdiction or manipulation.
Privacy by design
We store the proof. Not the location.
Exact GPS coordinates and WiFi BSSIDs are processed transiently to derive jurisdiction, then destroyed — never persisted, never logged. GDPR data minimisation (Art. 5) is the architecture, not a setting.
Never stored
- Exact GPS coordinates
- WiFi BSSIDs
- Real-time location
- Off-hours tracking
Stored as audit evidence
- Compliance result
- Confidence score
- Device integrity signals
- Tamper-evident record hash
Audit-ready by design
When an auditor asks, you have the proof.
Every check-in becomes evidence that holds up in an inspection, a client audit, or a cyber-insurance claim — without anyone having to trust our word for it.
- 01
Tamper-evident record
Each check-in is hashed (SHA-256) the moment it's created, and never recomputed.
- 02
Append-only
Records can't be edited or deleted — by you, by us, or by any workspace — during the retention window.
- 03
Reproducible
policy_version and app_version capture exactly which rules and thresholds applied at check-in time.
- 04
Standalone evidence package
Export a signed CSV/PDF with a manifest and hash chain — verifiable offline, even months after you cancel.
Pricing
Priced as audit evidence — not per-seat tracking.
A base fee per workspace plus included verified employees. You're only billed for people under verification — not admins, managers or auditors.
Core
Up to 5 verified employees
+€10 additional
Agencies, small consultancies, MSPs with few remotes
Professional
Up to 20 verified employees
+€8 additional
Tech consultancies, BPOs, IT/MSP with mid-size remote teams
Regulated
Up to 75 verified employees
+€6 additional
Fintech, healthtech, cybersecurity, vendors under client audits
Enterprise
Up to 150+ verified employees
+Custom additional
SSO / MDM / advanced DPA / dedicated SLA / procurement
Founding pilot: €49/mo for 3 months — limited to the first 5–10 customers.
Who it's for
Two buyers. One audit trail.
DPO / Security lead
Generate the audit trail that proves due diligence in an inspection or breach — documentary compliance evidence, not surveillance.
HR / Operations
Comply with the residence conditions you already have in signed contracts, without standing up a manual audit.
FAQ
The questions worth asking first.
Is this employee surveillance?
No. limen never stores exact location and never tracks in real time. It records a compliance result tied to a work check-in — audit evidence, not monitoring.
What if they use a VPN?
IP alone never grants a compliant result. GPS, WiFi positioning and device attestation expose VPN-only setups, and detected mock location is recorded as non-compliant outright.
Do you store the employee's location?
Never. GPS coordinates and WiFi BSSIDs are processed transiently to derive the jurisdiction, then destroyed. Only the result and technical signal fields persist.
iOS or Android?
The MVP is Android-first (GPS + WiFi + IP). iOS ships with GPS + IP; WiFi positioning follows post-launch, as it requires a special Apple entitlement.
BYOD — can we require the app?
limen is built for companies that can require a mobile check-in as a condition of remote access. A web or IP-only check-in is evadable by VPN and isn't high-confidence evidence.
Is it GDPR-compliant?
It's built on data minimisation, with clear controller/processor roles, a DPA, a generated contractual clause and a documented acknowledgement (not “consent”). This isn't legal advice.
Talk to us
Your remote contractors may be accessing client data from unauthorized countries using a VPN. Can you prove they are not?
Book a 30-minute call. We'll walk through what the audit trail looks like in practice and whether it fits your jurisdiction and contract requirements — no slides, no product pitch.