COMPLIANCE & SECURITY
Compliance by design
GDPR, EU AI Act, and Dutch BIO principles as our starting point — not a checklist added later. Explained transparently so you know exactly where you stand.
STARTING POINT
Why we make this explicit
Our clients are SMB companies and public-sector organisations. Both carry responsibility for how AI is used: which data is processed, where it lives, and how decisions are made. If that isn't in order, you face both legal and operational risk.
We build AI solutions with GDPR, the EU AI Act, and — for government — Dutch BIO principles as the starting point. Below is concretely what that means, so your privacy officer or legal adviser can verify it directly.
FRAMEWORKS
Four pillars, explained concretely
No vague compliance-speak — concrete measures and where they apply.
EU-based data processing
We process personal data under the EU General Data Protection Regulation. All leads, contact details, and project documentation sit in the EU (Frankfurt). We sign a data processing agreement with every client.
- Data stored in the EU (Hetzner Germany and Supabase Frankfurt)
- Sub-processors outside the EU only under Standard Contractual Clauses
- Data breach notification within 72 hours per GDPR Art. 33
- Automatic deletion 30 days after contract ends
Risk classification for your agent
Every AI agent falls under one of the EU AI Act's risk categories. During intake we determine the category together and which obligations apply.
- High-risk / limited-risk / minimal-risk classification during intake
- Transparency obligation: end-users know they are talking to AI
- Human oversight where the law requires it
- Logging and auditability of AI-driven decisions
Dutch Baseline for Government IT Security
For government bodies we use the Dutch BIO framework as our baseline. Where possible the agent runs on the client's own infrastructure so data never leaves your control.
- Agent on your own infrastructure or an EU-hosted environment you control
- Access controls, logging, and audit trails tailored per deployment
- Separate production, test, and development environments — standard in our implementation, in consultation with your IT team
- Approach aligned with your information security policy
Security as the starting point
We build with security from the outset, not bolted on later. Encryption, access control, and least-privilege are standard.
- TLS encryption by default, SSH key authentication on infrastructure
- Least-privilege access: staff only access what's needed, when needed
- System-prompt guardrails and tool restrictions — together we decide what the agent may and may not do
- Logging and audit trails for every production environment
AI ACT CLASSIFICATION
How we classify your agent
The EU AI Act defines three main risk categories. Obligations differ per category — and so does our approach.
Minimal-risk
Most business agents fall here: internal knowledge base, scheduling, proposal builders, customer service. General transparency rules (e.g. disclosing AI use) and GDPR apply.
Limited-risk
Agents that generate content or detect emotions. Additional transparency toward end-users is required. We document which data the agent uses and for what purpose.
High-risk
Agents in regulated domains (credit scoring, education evaluation, critical infrastructure). Requires full conformity assessment, registration, and human oversight. We only build this in close collaboration with your compliance officer.
Not sure which category your intended agent falls into? That's normal. We determine this together during intake, before any code is written.
HOSTING & SUB-PROCESSORS
Where your data lives
Full transparency about which third parties are involved and where they are based.
| Service | Location | Purpose |
|---|---|---|
| Supabase | Frankfurt (EU) | Database for leads, contact requests and questionnaire responses |
| Vercel | US (SCC) | Website hosting and anonymous, cookieless analytics |
| Resend | US (SCC) | Transactional email (e.g. contact form confirmations) |
| Calendly | US (SCC) | Appointment scheduling — click-to-load, only loads after user click |
| Hetzner Online | Falkenstein, Germany (EU) | Server hosting for business administration and internal CRM |
Sub-processors outside the EU operate under Standard Contractual Clauses. For the AI agent itself, we choose the hosting together: EU cloud or your own infrastructure. End-user data from your customers (chat, calls) does not pass through our systems structurally — it stays on your infrastructure.
OPERATIONAL DOCUMENTS
Runbooks and checklists available on request
Alongside our data processing agreement we maintain concrete operational documents that make our claims executable. Your compliance officer, legal adviser or IT lead can request these for review.
- Incident Response Plan — concrete protocol for the 72-hour GDPR notification (Art. 33), cyber insurance reporting and customer communication
- AI Act intake checklist — per agent we determine together the risk classification and which obligations apply
- Agent Delivery SOP — mandatory steps at go-live: AI disclosure in system prompt, access controls, logging and audit trail
DATA PROCESSING AGREEMENT
DPA available for review
Our data processing agreement (per GDPR Art. 28) is available for legal review. You can view it online, print it, or save as PDF. Upon engagement we sign it automatically as part of the contract.
SECURITY
Responsible disclosure
Found a vulnerability in our systems or in software we implemented at a client? Report it responsibly and give us time to respond before going public.
We respond within 2 business days, work with you on a fix, and are happy to credit you.
Questions about compliance?
Your privacy officer or legal adviser is welcome to call us. We answer any question about data processing, sub-processors, AI Act classification, or BIO alignment.