Security & compliance
Your AI runs in the EU. All of it.
EU compute, EU storage, EU model training — your prompts and files never cross the Atlantic. Published DPA and sub-processor list; countersigned copies for your compliance team on request.
EU compute and storage
Models run in EU regions. Database, storage and backups in EU regions. No US provider ever processes your prompts or files — supporting services (payments, transactional email, CDN) are disclosed at depaza.com/subprocessors.
We only train on your data in the EU
We may use your prompts, conversations and files to improve Depaza's own EU-hosted models — and that training, processing and storage stays in EU regions: never a US sub-processor, never across the Atlantic. Enterprise plans are excluded from training (contractual no-train guarantee).
GDPR — DPA published
Our standard data processing agreement is published at depaza.com/dpa and applies automatically to business customers. Countersigned copies within one business day on request.
AI Act — transparency by design
We document our role as provider and the models behind every tier. Transparency documentation available on request as we complete it ahead of the August 2026 obligations.
GDPR — where your data actually sits
Compute in EU regions. Database, storage, backups and logs in EU regions. Your conversation content never crosses the Atlantic — not for training, not for backup, not for analytics.
- Data minimisation — we store only what makes the product work
- Access, erasure and portability — email us, we respond within the statutory timeframe
- TLS 1.3 in transit, AES-256 at rest
- DPA available on request
AI Act — what you can put on the register
Depaza is a general-purpose AI assistant. No biometrics, no social scoring, no prohibited use cases. We give your compliance team the artifacts they need to attach to your own AI Act risk assessment.
- Provider-role statement under the AI Act
- Model documentation per tier — on request
- Training-data category disclosure — on request
- Limited-risk classification rationale for your register
Domain ownership & remediation
depaza.com is operated by Depaza today. The domain was previously misused for phishing by a former owner in 2024. That content has been removed; the site is clean, runs only our own software, and is continuously monitored.
If your firewall or URL filter still blocks depaza.com on a stale classification, contact us — we provide recategorisation evidence promptly.
Security contact: [email protected] · security.txt
Want your compliance team to review our documentation?
The DPA and sub-processor list are public at depaza.com/dpa and depaza.com/subprocessors. We send the security overview and countersigned DPA by email. No NDA required.