Security & compliance
100% EU data. 100% of the time.
We built Depaza from the ground up so your compliance department can sleep at night. No US-based sub-processors. No third-country transfers.
Hosted in Helsinki & Frankfurt
AI models in Helsinki. Servers in Frankfurt. All data stays in the EU. EU by heart.
We do not train on your data
No prompts, no conversations, no files are used for model training. Neither by us nor by our sub-processors.
GDPR-ready
Standard data processing agreement (DPA) ready to sign. Standard contractual clauses (SCC) where relevant.
AI Act-prepared
We follow the EU AI Act. Model cards, risk classification and transparency documentation ready for your compliance team.
SSO and access control
SAML SSO, SCIM provisioning, role-based access and audit log on the Enterprise plan.
Audit log
Who did what, when. Exportable to your SIEM. Retained for a configurable period.
GDPR โ where is the data?
Compute: EU (Helsinki). Database and storage: EU-based. Backups: EU. Logs: EU. No data leaves Europe.
- โ Data minimisation โ we only store what we need
- โ Right of access, erasure and portability via /api/me/* endpoints
- โ Encrypted in transit (TLS 1.3) and at rest (AES-256)
- โ DPA ready to sign within one business day
AI Act โ what do we do?
Depaza is classified as a general-purpose AI assistant. We do not use biometrics, no social scoring, no prohibited use cases. We provide documentation your compliance team can attach to your own AI Act risk assessment.
- โ Model card for every model we offer
- โ Transparency on training-data categories
- โ Logging of system answers (can be toggled per tenant)
- โ Classification of the output types produced
Want your compliance team to review our documentation?
We send the DPA, SCC, model cards and security overview by email. No NDA required.