Security and compliance, by construction.
InovateAI is operated by Agenticas OÜ from Tallinn, Estonia — inside the EU, under EU law. Customer systems, databases, files, and backups are EU-resident by default; model inference may use approved subprocessors outside the EU under SCCs and zero-retention terms unless an EU-only model path is contracted.
What we secure
Data in transit
All traffic between your systems, our infrastructure, and any sub-processor is encrypted with TLS 1.2 or higher. No plaintext channels, no exceptions.
Data at rest
Postgres databases, object storage, and backups are encrypted with AES-256. Disk-level encryption on every node. Backup snapshots are encrypted before they leave the host.
Access control
Least privilege per task. Each AI Digital Worker has scoped credentials limited to the systems and operations defined in your Statement of Work — nothing more.
Audit logs
Every decision the worker makes, every system it touches, every record it reads or writes is logged with timestamp, actor, and reason. Logs are append-only and exportable on request.
Where your data lives
Your AI Digital Worker runs on EU-only infrastructure. Primary compute and Postgres databases are hosted on Hetzner Cloud in Helsinki (Finland) or Falkenstein (Germany), depending on your latency and residency preference.
Postgres is encrypted at rest with AES-256. Backups are encrypted before they leave the host and stored in the same EU region. Object storage for documents and artefacts is also EU-resident.
Foundation model calls are governed by SCCs and zero-retention enterprise terms where applicable. For stricter residency needs, we can scope an EU-only inference path during procurement.
Buyer proof
What you can inspect before signing
We do not ask procurement to trust a black box. The scoping process produces concrete artifacts your operations, finance, security, and legal teams can review.
Sample deployment plan
Every proposal includes workflow scope, systems touched, approval rules, validation data, fallback plan, and week-one success criteria.
Audit-ready decision log
Workers log material reads, writes, decisions, escalations, and reasons so finance, ops, and compliance teams can review what happened.
Security pack under NDA
DPA, subprocessor list, model-processing notes, control summary, and incident-response process are available during procurement.
Workload-based ROI
We model value from recurring hours removed, loaded hourly cost, escalation rate, and error reduction rather than claiming a whole role is replaced.
Sub-processors
Full list of third parties we use to operate the service. We notify customers in writing before adding or replacing any sub-processor.
| Sub-processor | Purpose | Region | Safeguard |
|---|---|---|---|
| Resend | Transactional email delivery (notifications, escalations) | EU / US | EU SCCs in DPA |
| Anthropic | Foundation AI model (Claude) for reasoning and decision-making | US | EU SCCs + Anthropic enterprise data terms (zero retention, no training on customer data) |
| Hetzner Cloud | Primary infrastructure: compute, Postgres, object storage, backups | EU (Helsinki, Falkenstein) | EU-based processor, GDPR-aligned DPA |
| Contabo | Secondary infrastructure for redundancy and isolated workloads | EU (Germany) | EU-based processor, GDPR-aligned DPA |
| Cloudflare | DDoS mitigation and edge routing (when enabled per deployment) | Global edge | EU SCCs, EU data localisation enabled where applicable |
Compliance
GDPR by design
Data minimisation, purpose limitation, and storage limitation are baked into every deployment. We process only what your Statement of Work explicitly authorises.
EU AI Act readiness
Each deployment is classified by risk tier. Logging, human oversight, and transparency obligations are built into the worker's operating contract before go-live.
NDA standard
A mutual NDA is signed before we see a single sample of your data. No discovery call material is reused without written permission.
DPA on request
A Data Processing Agreement covering Article 28 GDPR obligations is available before signature. Custom DPA review is included in the setup fee.
SOC 2 Type II — in progress
Audit window opens Q2 2026 with target report delivery Q4 2026. Interim Type I controls and gap assessment available under NDA.
Incident response
- →72-hour breach notification to affected customers and supervisory authorities, in line with Article 33 GDPR.
- →Named point of contact for every customer: info@inovateai.com.
- →Documented runbooks for credential rotation, sub-processor outage, model misuse, and data exfiltration scenarios.
- →Post-incident report shared in writing within 14 days, including root cause and remediation.
Access controls for our team
- → Role-based access to customer environments. Need-to-know only.
- → Multi-factor authentication is mandatory for every team member, every system.
- → Every team access to a customer system is logged and auditable.
- → Contractor onboarding includes background check, NDA, and time-bound credentials.
- → Offboarding: credentials revoked within 1 hour of contract end. Verified by audit.
What we won't do
The clearer the boundary, the easier the procurement conversation:
- × Train any foundation model on your data
- × Build advertising or behavioural profiles from your operations
- × Resell, share, or syndicate your data to third parties
- × Use any data outside the scope written into your contract
Talk to our security team.
DPA, sub-processor list, SOC 2 gap assessment, or a custom questionnaire — write to info@inovateai.com.
Contact security →Last updated: 9 May 2026