Trust & Security
Developed in Germany. Hosted in Germany. Support from Germany. You stay in control — Felix prepares, you approve.
📍 Where your data resides
Backend, database and authentication run via Supabase in the AWS region eu-central-1 (Frankfurt). Web hosting is provided by IONOS (Germany). All personal data remains within the EU; backups are likewise held in the EU region.
🤖 AI transparency (Felix)
For AI-assisted analyses and the compliance CoWorker Felix, AIGOY uses the Claude model from Anthropic PBC (USA).
No-training commitment: Anthropic is contractually bound not to train its models on data submitted via the API.
Third-country transfer: Standard Contractual Clauses (SCC, Art. 46(2)(c) GDPR) in conjunction with the EU-U.S. Data Privacy Framework; a DPA under Art. 28 GDPR is in place.
Four-eyes principle: Felix never acts on its own — every execution runs through the four-eyes approval.
🚀 Outlook: EU inference (AWS Bedrock Frankfurt) and BYOK (Bring Your Own Key / model choice) are in preparation.
📝 Sub-processors
| Provider | Location | Purpose | Note |
|---|---|---|---|
| IONOS SE | Germany 🇩🇪 | Web hosting | DPA Art. 28 |
| Supabase Inc. | AWS eu-central-1, Frankfurt 🇩🇪 (EU) | Backend, database, auth, edge functions | DPA Art. 28, SOC 2 Type II |
| Anthropic PBC | USA 🇺🇸 | AI service (Claude model) | No training on data, SCC/DPF, DPA Art. 28 |
| Stripe Payments Europe, Ltd. | Dublin, Ireland 🇮🇪 (EU) | Payment processing | Business/Enterprise only |
🔒 Technical & organisational measures (TOM)
- TLS 1.2+ in transit, AES-256 at rest
- Row Level Security (RLS) at the database layer
- INSERT-only audit trail — immutable logging
- Four-eyes approval cockpit for all Felix actions
- Least-privilege access model
- EU backups
⚖ Your rights & compliance
You may exercise your data subject rights under Art. 15–22 GDPR at any time. A DPA under Art. 28 GDPR is available on request. AIGOY is aligned with the EU AI Act, NIS2 and DORA.
For more details, see our privacy policy.
Last updated: May 2026.