Trust & Security
Responsible AI.
Not promises — mechanisms.
SMEs trust us with their business data, internal processes, sometimes their infrastructure.
We are a young company. Our commitments are real, our processes evolve with each project, and this page reflects the state of our practice today — not empty promises.
This document explains exactly what we do with that data, who accesses it, where it is processed, and how we manage risk.
Last updated · June 2026
- GDPR processor — art. 28 DPA ready to sign
- Your data never trains models
- EU processing by default, self-hosted possible
- Code and models: fully owned by the client
Where is your data processed?
We work with three families of language models. Model selection for each project depends on your sovereignty requirements, the use case, and required technical performance.
| Provider | Access type | Legal HQ | Data processing | EU residency | DPA |
|---|---|---|---|---|---|
| Mistral AI | European LLM API | Paris, France 🇫🇷 | EU depending on offer and configuration | Documented EU priority, not France-only | Yes |
| Anthropic | Commercial LLM API | San Francisco, US 🇺🇸 | US via direct API · EU via configured AWS Bedrock or Vertex AI | Via EU cloud; the cloud is then the processor | Yes (commercial API) |
| OpenAI | Commercial LLM API | San Francisco, US 🇺🇸 | US by default · EU depending on eligible offer and contract | To confirm contractually for the selected offer | Yes |
Our approach
For projects requiring the strictest sovereignty (sensitive personal data, finance, healthcare): we recommend a European provider or a self-hosted deployment. We do not promise "France-only" processing unless it has been contractually verified.
Where a US provider's performance is justified by the use case, we configure the pipeline through an EU cloud region when the offer and contract allow it. In that setup, the cloud provider is generally the operational processor and the remaining sovereignty limits are documented.
We can also deploy open-source models suited to the use case on your own infrastructure or on our Hetzner (DE) servers, for 100% EU processing with no calls to any third-party provider.
olixid.com is hosted on Hetzner Online GmbH servers (Gunzenhausen, Germany).
Our GDPR posture
OLIXID acts as a data processor within the meaning of Article 4(8) GDPR for personal data processing carried out in the context of your projects. The data processing agreement is governed by Article 28. You remain the data controller.
- Lawful basis
- Processing is based on contract performance (Art. 6.1.b) and, for ancillary processing (service improvement, quality follow-up), on legitimate interest (Art. 6.1.f). No personal data from your end-users is used to train third-party AI models.
- Data Processing Agreement (DPA)
- A DPA compliant with Article 28 is available for signature for any project. It covers the categories of data processed and their purposes, technical and organisational security measures, deletion timelines, the list of sub-processors, and audit and incident-notification modalities.
- Minimisation
- In each project, we configure our systems to process only the data strictly necessary for the defined use case. Prompts sent to LLM APIs do not contain personally identifiable data unless technically necessary and documented. Pseudonymisation or anonymisation upstream is our standard practice for any RAG pipeline or AI agent handling sensitive data.
- Retention
- Project data (code, configurations, files): contract duration + 12 months, then deleted. LLM API call logs: depending on provider and contract; Anthropic API and Mistral API document retention up to 30 days, and Zero Data Retention options depend on provider offer and approval. Contact form data: 12 months maximum. Backups: deleted within 30 days of contract end.
- Data subject rights
- If your end-users exercise their rights (access, rectification, erasure, restriction of processing, portability, objection) with you as data controller, we provide technical assistance within 5 business days.
- Transfers outside the EU
- For processing involving a non-EU provider without EU residency enabled, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission. These transfers are documented in the DPA.
GDPR contact
For any data protection queries:
[email protected]OLIXID SAS, 1 rue Marguerin, 75014 Paris, France
You may also contact the CNIL: www.cnil.fr
Our position on the EU AI Act (Regulation (EU) 2024/1689)
What role does OLIXID play?
The AI Act distinguishes several actors. Depending on the project, OLIXID sits in one role or the other:
Deployer (Article 3.4)
When we integrate a third-party AI system into your environment, under your authority and for your use. The majority of our engagements.
Provider (Article 3.3)
When we develop an AI system under our name or trademark and put it on the market — typically an AI agent delivered and operated autonomously. In this case, provider obligations apply to us.
This distinction is documented contractually in each engagement.
Risk classification
The Act defines 4 risk levels. The vast majority of systems we build for SMEs fall in the "limited risk" or "minimal risk" category:
| Level | Examples | Main obligations |
|---|---|---|
| Minimal risk | Automated reporting, internal content generation | None (best practices recommended) |
| Limited risk | Customer chatbots, document summaries, quote agents | Transparency to end-user (Art. 50) |
| High risk (Annex III) | Credit scoring, recruitment, access to education or training | Documentation, human oversight, registration |
| Prohibited practices | Social scoring, manipulation AI — never in our scope | Prohibited |
During diagnostic, we assess the risk level of each use case. If a system reaches the "high risk" threshold, we inform the client and adapt deliverables (documentation, audit trails, mandatory human oversight). AI systems embedded in regulated products, such as certain medical devices, follow a separate high-risk pathway (Art. 6(1) and Annex I).
Transparency and human oversight
- The end-user is informed they are interacting with an AI system (Art. 50).
- A human fallback is designed into each relevant project (AI proposes, human validates).
- High-stakes decisions (financial, HR, contractual) are never fully automated without explicit human validation.
Application timeline
| Date | What enters into force |
|---|---|
| 2 Feb 2025 | Ban on prohibited AI practices and AI literacy obligations (Art. 4) |
| 2 Aug 2025 | GPAI model obligations |
| 2 Aug 2026 | Full obligations for high-risk systems (Annex III) |
| 2 Aug 2027 | AI embedded in regulated products (Annex I) |
The anti-hallucination commitment
In each project, our systems are designed so every response cites its source. If no source is available, the system explicitly signals that a human must take over.
RAG architecture
The model is configured to answer from a document base controlled by your company, not from its own parameters.
Mandatory referencing
Every factual assertion is traced back to the source document (page, paragraph, internal reference). Your teams can verify the origin of the information.
Confidence guardrails
If the confidence score is insufficient, the system escalates to a human rather than producing an unsupported response.
Continuous monitoring
Responses are subject to continuous monitoring. Drift is identified and corrected as part of project follow-up.
Full audit trail
Every interaction is logged with its documentary context. Your teams can audit these histories.
This commitment is built into each RAG, document agent, or internal assistant project. It does not apply in the same way to creative generation systems or classification pipelines.
Our security baseline
OLIXID is not ISO 27001 or SOC 2 certified. We apply a rigorous security baseline and discuss specific certifications if your project or sector requires them. What we concretely do:
Secret management
- No secret (API key, password, token) is ever committed to a code repository.
- Use of secret managers in the relevant development, staging, and production environments.
- API key rotation at the end of every project or when a team member leaves.
Access control
- Least privilege principle: each team member only has access to resources necessary for their assignment.
- Client code access: limited to engineers assigned to the project.
- Two-factor authentication (2FA) mandatory on all tools.
- Immediate access revocation at the end of the project.
Code repositories
- Client project source code hosted in private GitHub repositories, under a dedicated organisation or transferred to your own at delivery.
- No client code in public repositories.
- Cross-code reviews before every production merge.
Encryption
- Data in transit: TLS 1.2 minimum, TLS 1.3 recommended.
- Data at rest: AES-256 encryption for all hosted databases and backup files.
- Secrets and sensitive data exchanged only over encrypted channels — never by plain email.
Incident response
- Detection and containment: as soon as possible following detection.
- Client notification: within 24 business hours following detection.
- CNIL notification if the personal data breach presents a risk to people: within 72 hours (Art. 33 GDPR).
- Incident report: delivered within 5 business days.
Deletion timelines
- End of project: client data deleted within 30 calendar days.
- Debug logs: deleted within 7 days.
- Staging environments: deactivated and deleted within 72 hours of delivery.
You own everything we deliver.
Upon delivery and final payment for the project, the source code, trained models, configurations, pipelines and documentation belong entirely to the client. Ownership transfer is effective as soon as each milestone is paid in full. If the project is interrupted, intermediate deliverables already paid for remain your property. OLIXID retains no ownership rights over deliverables.
- Source code
- Transferred via GitHub (repository assigned or PR merged into your organisation). You have access to the full code from the first sprint, not just at final delivery.
- Fine-tuned models
- Model weights trained on your data belong to you. They are stored in your cloud environment or transferred to your servers.
- Training data
- Data and annotations remain under your control. OLIXID only accesses them for the purpose of the project.
- Secrets and credentials
- All API keys and identifiers used for your infrastructure are transferred to you at the end of the project.
- Open source licences
- Where we integrate open-source libraries, we document applicable licences (MIT, Apache 2.0, etc.). No restrictively licensed library (GPL copyleft) is integrated without explicit client validation.
OLIXID may reference your project as a commercial reference (sector, use case type, generic result) — unless a specific NDA is in place.
Our sub-processor list
Any new sub-processor is notified to affected clients with 30 days' notice.
| Sub-processor | Service | HQ | Processing zone | Data processed |
|---|---|---|---|---|
| Anthropic, PBC | LLM API | San Francisco, US | US / EU via configured cloud (AWS or Google as processor) | Prompts and context (relevant projects) |
| Mistral AI SAS | LLM API | Paris, France 🇫🇷 | EU depending on offer and configuration | Prompts and context (relevant projects) |
| OpenAI, LLC | LLM API | San Francisco, US | US / EU depending on eligible offer and contract | Prompts and context (relevant projects) |
| Hetzner Online GmbH | Server hosting | Gunzenhausen, DE 🇩🇪 | Germany (EU) | Infrastructure, code, databases |
| Cloudflare, Inc. | CDN, DDoS, Turnstile | San Francisco, US | Global edge network (including EU and US) | HTTP requests, anonymised IPs |
| Plus Five Five, Inc. (Resend) | Transactional email | US | US | Email addresses, content |
| GitHub, Inc. (Microsoft) | Source code hosting | San Francisco, US | US (EU controller: GitHub B.V., Netherlands) | Source code, issues, CI/CD |
Sub-processors marked "relevant projects" only process data for projects configured with their API. A project using only one provider or a self-hosted deployment sends no data to the other LLM providers.
Self-hosted software
These tools are operated by OLIXID on our infrastructure. Data is not transferred to the software publisher; the hosting sub-processor remains Hetzner.
| Software | Publisher | Licence | Service | Hosting | Data processed |
|---|---|---|---|---|---|
| Twenty | Twenty.com PBC | AGPL-3.0 | Internal CRM (Olixid commercial data only) | Hetzner (operated by OLIXID) | Client contacts, commercial history |
| Umami | umami-software | MIT | Web analytics | Hetzner (operated by OLIXID) | Page views, anonymised sessions |
Audit & continuous improvement
This document is reviewed regularly, and systematically at every material change: new sub-processor, new LLM integrated into a project, regulatory update.
- Internal security review: regular — access, secrets, repositories, configurations.
- Regulatory monitoring: active tracking of CNIL, EDPB, and European Parliament publications (AI Act, ePrivacy, Data Act).
- Sub-processor review: annual — verifying each sub-processor maintains GDPR commitments.
Frequently asked questions
Is my data used to train AI models?
No. We select commercial API offers whose terms exclude training on customer data by default. This is verified in the DPA or contractual terms for each project.
Can you process my data 100% in France or in the EU?
For 100% EU processing, yes: we can use a European provider or deploy a suitable open-source model on our Hetzner Germany servers or your own infrastructure. For 100% France-only processing, we confirm feasibility case by case based on the selected infrastructure and contract.
Are you ISO 27001 or SOC 2 certified?
No. We apply a rigorous security baseline (secret management, encryption, access control, code review) and commit to discussing specific certifications if your project or sector requires them.
Who owns the code and models you build?
The client, entirely, upon delivery and final payment. No exception. You have access to the code from the first sprint and the repository can be transferred to your GitHub organisation.
How do you handle model hallucinations?
For document agents, we configure a RAG architecture: the model is oriented toward a base controlled by your company, every response must cite its source, and a confidence score triggers escalation to a human if needed. A full audit trail allows tracing of every interaction.
A question about security or your data?
Two addresses, two answers within 2 business days:
[email protected]
Security incidents, technical questions
[email protected]
GDPR, data subject rights, DPA
Or by post: OLIXID SAS — 1 rue Marguerin — 75014 Paris, France
For CNIL complaints: www.cnil.fr
