Answers to the most common questions about security, privacy, and compliance at Optimaite.
All application data is exclusively processed and stored in Germany and the EU. Our infrastructure runs on Hetzner Cloud (Falkenstein/Frankfurt, Germany), the database at Neon (Frankfurt, EU), and object storage also at Hetzner in Germany. The website is served via Vercel with EU regions.
No, never. All AI models are operated exclusively through EU-based services — Azure AI Foundry (Germany West) and AWS Bedrock (Frankfurt). Contractual zero-retention and zero-training agreements are in place. Your data never leaves the EU, is used exclusively to process your requests, and is immediately discarded afterwards.
Yes. Our Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is available at optimaite.eu/avv and is automatically part of our terms of service. It includes the complete technical and organizational measures (TOMs) as well as the current subprocessor registry.
Optimaite implements a strict multi-tenant architecture with isolation at the database level. Every database query is automatically filtered to the respective tenant (Row-Level Security), making access to other tenants' data technically impossible. Additionally, separate namespaces and network policies are used in Kubernetes.
All data is encrypted both during transmission (in transit) and at rest. For transmission we use TLS 1.3, for storage AES-256 encryption. This applies to the database, object storage, and all backups.
After contract termination, we provide all data for export in common, machine-readable formats for 30 days. After this period, all personal data is irrevocably deleted. Backup rotations are cleaned within 90 days. Deletion is confirmed upon request.
Yes. Optimaite is fully GDPR-compliant. This includes: data processing exclusively in the EU, a standardized DPA pursuant to Art. 28 GDPR, documented TOMs pursuant to Art. 32 GDPR, a complete subprocessor registry, procedures for fulfilling data subject rights, and an incident response plan with 24-hour notification requirement.
When you use AI features (e.g., document analysis, text generation), the relevant document content is sent via API to the AI service (Azure AI in Germany or AWS Bedrock in Frankfurt). Only the content required for the respective function is transmitted — no user metadata or tenant information. Processing takes place in real time within the EU and the data is immediately discarded afterwards.
Yes. Customers have the option to store their own API keys for the AI services (e.g., Azure, AWS). This gives you control over the entire AI processing chain, and the data flows directly through your own contract with the respective provider.
We are currently building an Information Security Management System (ISMS) according to ISO 27001. Our infrastructure partners (Hetzner, Neon) already hold ISO 27001 and SOC 2 Type II certifications. We plan to obtain our own certifications as we grow.
According to our DPA (§ 5), you have the right to verify compliance with data protection regulations, including on-site inspections with prior notice. Additionally, we provide all necessary information and documents for compliance reviews. Contact us at security@optimaite.eu.
The platform processes the following data categories: user account data (name, email), documents and files, chat messages and AI interactions, as well as technical metadata (IP addresses, timestamps, error logs). The complete description can be found in our DPA under § 3.