Join waitlist
Security

A compliance product is only as good as the jurisdiction it sits in.

Ansikt is hosted, governed and built in the EU — under Danish and EU law, on infrastructure we operate. Here's the short version, with the receipts.

100% EU hosted Frankfurt & Stockholm regions. Nothing leaves the bloc.
0 Sub-processors outside EU No US AI vendors. No transfers under SCCs.
256 Bit AES at rest Per-tenant keys, customer-controlled rotation.
1.3 TLS in flight No protocol downgrades. mTLS for connector traffic.
01 · Three pillars

Where we hold the line.

i.

Stay in the bloc.

Infrastructure, sub-processors, employees, jurisdiction. Every lever is European. Schrems II was decided in 2020; the response was building things differently, not waiting for the next ruling.

  • Hetzner · Frankfurt & Falkenstein
  • Scaleway · Paris
  • Datacentre tenancy · ISO 27001
  • EU-only operator access
ii.

Hold less data.

One 512-dim vector per face. The original photo never leaves your source. We don't make copies. Article 5(1)(c) — data minimisation — is a daily engineering constraint, not a policy paragraph.

  • Vectors only · no image copies
  • Customer-managed encryption keys
  • Tenant isolation at storage layer
  • Erasure verifiable in < 24h
iii.

Show your work.

Every search, every export, every operator action is logged in a tamper-evident, hash-chained ledger. Streamable to your SIEM. Auditors see a full picture without us in the room.

  • Append-only audit log
  • SHA-256 hash chain
  • SIEM stream · CEF or JSON
  • Quarterly third-party log review
02 · Certifications & assessments

What we hold, and what's in flight.

We don't claim certifications we don't have. Status is updated quarterly; the audit dates are real.

GDPR · Art. 32 self-assessment Held · 2025
EU Data Boundary Verified · attestation on request
ISO 27001 Audit underway · Q2 2026
SOC 2 Type II Planned · Q4 2026
03 · Where data lives

From your source to the answer, in one diagram.

No black boxes. Every hop is named, every protocol is logged. The image stays where it lives — only the vector travels.

Fig. 03 · Ansikt data flow EU jurisdiction · TLS 1.3 throughout
Your environment
Source systems Drive · SharePoint · S3 · CMS
Read-only connector OAuth · IAM · token-scoped
Pull mTLS
Ansikt · EU compute
Detection & embedding Hetzner · Frankfurt
Vector vault AES-256 · per-tenant key
Audit ledger Append-only · SHA-256 chain
Query TLS 1.3
Operator
Ansikt console SSO · SCIM · MFA required
Signed export PDF · JSON · audit-ready
Note · the original image never leaves your source Note · no inference traffic crosses the EU boundary Note · all hops logged with hash + timestamp
04 · Practices

The everyday stuff, written down.

01
Access control SSO required. SCIM for lifecycle. MFA on every operator account. Just-in-time elevation for production access, with approval logged. No standing admin rights.
02
Encryption AES-256 at rest. TLS 1.3 in flight. Customer-managed keys. Per-tenant key envelope. Rotation on customer schedule. No protocol downgrades.
03
Backups Encrypted, EU-resident, customer-deletable on request. 15-minute RPO, 4-hour RTO. Restores tested quarterly. Backups also obey erasure requests.
04
Vulnerability handling Critical patches in 72 hours. Pen-test annually. External pen test by an independent EU firm. Coordinated disclosure at security.txt.
05
Incident response Customer-notified inside 24 hours. Postmortem in 5 days. DPA-required notice to authorities runs in parallel. Timeline shared with affected customers.
06
Data retention Vectors retained while indexed. Logs · 12 months. Backups · 30 days. Customer-configurable down. Deletion is verifiable: a signed receipt accompanies every erasure.
05 · Sub-processors

The whole list. Four names.

Every sub-processor is European, with a current DPA on file. We notify customers 30 days before any addition or change.

Sub-processor
Purpose
Region
Status
Hetzner Online GmbHDE · Gunzenhausen
Compute & primary storage
Frankfurt · Falkenstein
EU
Scaleway SASFR · Paris
Object storage · backups
Paris
EU
Postmark (ActiveCampaign EU)EU instance
Transactional email · operator notifications
Frankfurt
EU
Plausible Insights ehfIS · Reykjavík
Privacy-respecting analytics · marketing site only
EEA
EEA
06 · Reporting a problem

Found something? Tell us.

We answer security mail in under one business day. Coordinated disclosure is honoured; we credit reporters by name unless asked otherwise.

security@ansikt.dk · PGP key on request

Vulnerability disclosure.

Email a description of what you found, where, and how to reproduce. We acknowledge in 24 hours, fix critical issues in 72, and publish an advisory once customers are protected.

trust@ansikt.dk

Procurement, DPAs, audit questionnaires.

If you're filling out a vendor risk form, send it. We have a SIG-Lite, a CAIQ, and a current DPA template ready to go. We'll get it back inside three days.