Answers to the most common questions about security, privacy, and compliance at Optimaite.
All application data is exclusively processed and stored in Germany and the EU. Our infrastructure runs on Hetzner Cloud (Falkenstein/Nürnberg, Germany); the PostgreSQL database is self-hosted (CloudNativePG) on Hetzner in Germany, and object storage is also at Hetzner. The marketing website is served via Vercel with EU regions.
No, never. All AI models are operated through EU-based services — Microsoft Azure AI Foundry (Germany West), AWS Bedrock (Frankfurt) and Google Vertex AI (EU). Contractual zero-retention and zero-training agreements are in place. Customer data is processed in EU data centres in regular cloud operation and used exclusively to answer your requests; where a provider has a third-country connection, this is safeguarded by adequacy decisions or EU Standard Contractual Clauses (Art. 46 GDPR).
Yes. Our Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is available at optimaite.eu/avv and is automatically part of our terms of service. It includes the complete technical and organizational measures (TOMs) as well as the current subprocessor registry.
Optimaite implements a strict multi-tenant architecture with isolation at the database level. Every database query is automatically filtered to the respective tenant (Row-Level Security), preventing unauthorized access to other tenants' data. Additionally, separate namespaces and network policies are used in Kubernetes.
All data is encrypted both during transmission (in transit) and at rest. For transmission we use TLS 1.3, for storage AES-256 encryption. This applies to the database, object storage, and all backups.
After contract termination, we provide all data for export in common, machine-readable formats for 30 days. After this period, all personal data is irrevocably deleted. Backup rotations are cleaned within 90 days. Deletion is confirmed upon request.
Yes. Optimaite is fully GDPR-compliant. This includes: data processing exclusively in the EU, a standardized DPA pursuant to Art. 28 GDPR, documented TOMs pursuant to Art. 32 GDPR, a complete subprocessor registry, procedures for fulfilling data subject rights, and an incident response plan with 24-hour notification requirement.
When you use AI features (e.g., document analysis, text generation), the relevant document content is sent via API to the AI service used (Microsoft Azure AI Foundry in Germany, AWS Bedrock in Frankfurt or Google Vertex AI in the EU). Only the content required for the respective function is transmitted — no user metadata or tenant information. Processing takes place in real time within the EU and the data is immediately discarded afterwards.
Yes. Customers have the option to store their own API keys for the AI services (e.g., Azure, AWS). This gives you control over the entire AI processing chain, and the data flows directly through your own contract with the respective provider.
We are currently building an Information Security Management System (ISMS) according to ISO 27001. Our infrastructure and AI partners (Hetzner, Microsoft, AWS, Google) already hold ISO 27001 and SOC 2 Type II certifications. We plan to obtain our own certifications as we grow.
According to our DPA (§ 5), you have the right to verify compliance with data protection regulations, including on-site inspections with prior notice. Additionally, we provide all necessary information and documents for compliance reviews. Contact us at security@optimaite.eu.
The platform processes the following data categories: user account data (name, email), documents and files, chat messages and AI interactions, as well as technical metadata (IP addresses, timestamps, error logs). The complete description can be found in our DPA under § 3.