# Security & Compliance — Optimaite Trust Center

Source: [https://www.optimaite.eu/en/trust/sicherheit](https://www.optimaite.eu/en/trust/sicherheit)

> Optimaite is a GDPR, BRAO §43e and §203 StGB compliant AI platform for German law firms and enterprises. Hosting in Germany (Hetzner Falkenstein/Nürnberg). On-premise Kubernetes deployment available. No AI training on customer data.

## Compliance at a glance

- **GDPR:** Fully compliant. Data Processing Agreement (DPA), record of processing activities, and TOM documentation available on request.
- **§43e BRAO:** Service provider within the meaning of § 43e BRAO for German lawyers — with confidentiality undertakings for staff and sub-processors.
- **§203 StGB (professional secrecy):** Data is processed by personnel and subprocessors contractually bound to legal professional privilege.
- **EU hosting:** Application data exclusively in the EU. Hetzner Cloud (Falkenstein/Nürnberg, Germany) with a self-hosted PostgreSQL database (CloudNativePG) and Hetzner Object Storage (Germany).
- **No AI training on customer data:** Customer data is never used to train models. Zero-retention agreements with all AI providers.
- **beA integration:** Natively integrated, fully compliant with German electronic court communication (ERV).

## Technical and organisational measures (TOMs)

### Infrastructure
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Kubernetes clusters with network segmentation and pod isolation.
- Automated daily backups with point-in-time recovery.
- Hetzner Cloud (Falkenstein/Nürnberg), ISO 27001 certified data centers.

### Access control
- Multi-tenant isolation at the database level (PostgreSQL row-level security).
- JWT-based authentication with tenant scoping.
- Role-based access control (RBAC) with fine-grained permissions.
- Complete audit log of all data access and AI actions.

### Data processing
- Data processing exclusively in the EU.
- AI processing through Microsoft Azure AI Foundry (Germany), AWS Bedrock (Frankfurt) and Google Vertex AI (EU) with zero retention; third-country involvement is covered by EU Standard Contractual Clauses.
- Automated data deletion at contract termination (within 30 days).
- Data classification and configurable retention policies.

## Deployment options

### Cloud (default)
For law firms and enterprises that want to start quickly. Fully GDPR compliant, hosted in Germany, immediately deployable. Suitable for solo lawyers, mid-sized firms and most large firms.

### On-premise (Kubernetes)
For law firms and enterprises with the highest data protection requirements. Full sovereignty over data and models. Local LLM models (Llama, Mistral) available. Ideal for large law firms, public-sector clients, regulated industries and security-critical matters.

## Subprocessors

- **Hetzner Online GmbH** (Germany) — hosting, compute, storage, self-hosted PostgreSQL database.
- **Zilliz Inc.** (Frankfurt, EU) — vector database (embeddings, safeguarded by EU Standard Contractual Clauses).
- **Microsoft Ireland Operations Ltd. / Azure** (Germany region) — AI inference with zero retention.
- **Amazon Web Services EMEA SARL** (Frankfurt) — AI inference with zero retention.
- **Google Ireland Limited** (EU) — AI inference (Vertex AI) and speech recognition (Speech-to-Text) with zero retention.
- **Vercel Inc.** (EU edge) — static delivery of the marketing website.

## Documents on request

- Data Processing Agreement (DPA): [/avv](https://www.optimaite.eu/avv).
- Record of processing activities (Art. 30 GDPR).
- List of subprocessors with hosting locations.
- TOM documentation (technical and organisational measures).
- Penetration test reports (annual, by external auditor).

## Contact

Privacy or security questions: jamil.mounzer@optimaite.eu — response within 24 hours on business days.