Region-pinned EU data planes. ISO 27001-aligned security controls. GDPR-anchored privacy. A responsible-AI framework built into the product itself, not bolted on after the fact.
Quanterios runs three EU data planes, Frankfurt (primary, DACH), Dublin (failover, EU west), and Zurich (sovereign, CH residency). All customer data, CBOM contents, AIBOM contents, evidence packets, audit trails, is region-pinned at write time and never crosses regional boundaries.
Quanterios is built on a zero-trust architecture with cryptographic service identity, region-pinned data planes, and ISO 27001-aligned operational controls. Every claim below is either evidenced in our internal SOC 2 readiness package or verifiable in the product itself.
Quanterios was designed for GDPR from the first commit, not retrofitted. EU-based DPO, signed Data Processing Agreement available on request, no transatlantic data egress, and no training on customer data, full stop.
In the EU region you select at signup, Frankfurt, Dublin, or Zurich. Data is region-pinned at write time and never moves between regions automatically. Region selection is enforced at the API gateway layer.
Only the named customer team and Quanterios engineers explicitly authorised under your DPA. All access is logged with the requester's identity, the data accessed, and the operational reason. Customer data access by Quanterios staff is rare and only happens for support cases you initiate.
No. Quanterios does not train models on customer data. The Decision Engine is grounded in our proprietary migration-outcomes corpus, which uses anonymised aggregate signals, never raw customer content. Opt-in granular contributions to the corpus are explicitly negotiated per customer.
Customer-controlled. Default retention windows are configurable per data class (CBOM scans, AIBOM events, audit logs). On contract termination, all data is deleted within 90 days unless you instruct otherwise; you can also export everything in machine-readable form before that.
Public list maintained at the bottom of this page. Every subprocessor sits in the EU, is GDPR-compliant, and is contractually bound by our DPA terms. We notify you 30 days before any subprocessor change.
The above is a plain-language summary, not a legal-grade privacy notice. Before this page goes to production, please have a German DPO and a privacy lawyer review and sign off on this content, the Data Processing Agreement template, and the subprocessor list. The same applies to any Terms of Service and DPA documents linked elsewhere on the site.
Quanterios sells AI governance. We have to live the discipline ourselves. The six positions below shape how the AI Decision Engine is built, deployed, and audited.
Every risk score, every migration playbook, every runtime block carries the source evidence with it. We do not ship un-cited model output.
Risk scoring is rule-based + XGBoost, auditable, reproducible, never hallucinated. LLM reasoning sits on top, not underneath.
We do not fine-tune our models on customer content. Our migration-outcomes corpus uses anonymised aggregate signals only.
Crypto Agility API algorithm swaps require explicit policy authorisation. AI Runtime denials are auditable and customer-overridable.
We classified the platform's own AI components against the EU AI Act risk tiers. Where high-risk obligations apply, we meet them, transparency, human oversight, post-market monitoring, technical documentation.
We use third-party LLMs (Claude, OpenAI fallback) with fully signed contracts, EU data-residency where available, and no-training agreements. Model versions are pinned in our AIBOM.
Every third party that processes any data on behalf of Quanterios is listed below. Customers are notified 30 days before any change to this list. All subprocessors are contractually bound by our DPA terms.
Procurement, security review, vendor risk assessment, we have a packet ready. Email trust@quanterios.com and we'll respond within one business day.