GDPR-compliant AI — on-premise if you need it.

Yes — but not as a blanket statement. Whether an AI system is GDPR-compliant depends on the architecture and the implementation: where the models run, which data reaches them, who has access and what is logged. That is exactly what we build — fully on-premise, EU-hosted with a DPA, or with PII masking before any cloud call. We also deliver the documentation your data protection officer or your clients' legal teams need to verify it. Anyone promising blanket compliance without knowing your implementation is overselling.

On-premise means the AI models run on your own infrastructure — your servers or your private cloud — so your data never leaves your premises and no external model provider sits in the data flow. It makes sense for professional secrecy, highly sensitive data or strict internal policies. We are equally honest about the trade-off: on-premise means your own hardware and ongoing operations. For many use cases, EU hosting with a DPA or PII masking is the better fit — the AI readiness audit determines which level you actually need.

That depends on the privacy level we agree on — and it is documented in every project. Fully on-premise: none. With EU hosting, the models run with European providers under a DPA and zero data retention — nothing is stored there. And where a cloud model is used, personal data is masked or pseudonymized first: names, addresses and identifiers never reach the model at all. We document the data flows so you can verify them.

No — and we put it in the contract. Your data is not used for training, neither by us nor by the model providers we deploy; we select and configure providers so that no training use takes place and nothing is stored (zero data retention). Because the architecture is model-agnostic, the language model also stays swappable at any time — you are never tied to one vendor.

Yes. On request we start under NDA before you share any details of your case. For regulated industries we build assistive AI with human approval instead of full automation, with complete audit trails and clearly defined boundaries of responsibility. Our background includes projects with highly sensitive security and payment data — and discretion is standard practice: we never name clients.

The obligations depend on the risk class of your use case. Many back-office applications — document processing, internal assistants — fall into lower risk classes with manageable duties such as transparency, logging and human oversight. We classify your use case as part of the AI readiness audit and build the technical requirements into the architecture from day one. We don't replace legal advice — we deliver the engineering side your counsel can work with.