Security & Trust

Regulated banks
demand this.
We built for it.

SOC 2 Type I certified. German hosting. Zero-trust architecture. Your data never trains our models — not as a policy, but as a technical and contractual guarantee.

Open Trust Center ↗ Request Security Briefing
SOC 2 Type I
GDPR / DSGVO
DORA
EU AI Act
Germany Hosted
MaRisk / BAIT
Trust Center ↗
Your data never trains our models.
Not as a promise in a blog post — as a technical constraint and a clause in your contract. Customer data is never used to train, fine-tune or evaluate any ACCELERAID model.
Completely siloed. Zero shared infrastructure.
Isolated data stores per customer. No shared compute for sensitive workloads. Cross-tenant access is architecturally impossible — not just against policy.
Full audit trail. Not an add-on.
Every data access, model inference, agent action and config change logged with full lineage. Immutable, BaFin-ready, exportable. Included in every deployment — not gated, not sold separately.
Architecture

How we protect your data — layer by layer.

Layer 1 — Access Control

No one has standing access to production. Ever.

Zero-trust means every request is authenticated and authorised individually. Role-based access controls. Principle of least privilege. Just-In-Time (JIT) privileged access — elevated permissions exist only for the duration of a specific task, then expire automatically.

Multi-factor authentication mandatory. SSO/SAML supported. IAM via secure sessions over TLS. No standing admin access to databases or production systems.

Access control model
Zero-trust
No implicit trust. Every request authenticated individually.
Just-In-Time access
Elevated permissions expire immediately after use.
Least privilege
Every role has the minimum access it needs. Nothing more.
MFA enforced
Mandatory for all accounts. No exceptions.
Layer 2 — Data
Encryption stack
TLS
TLS 1.3 in transit
All data encrypted in motion.
AES
AES-256 at rest
Separate keys per customer. BYOK available.
PII
Field-level PII firewall
Redaction before any model touches data.
DE
Frankfurt, Germany
Azure Germany North / Google Cloud eu-west3. Data never leaves the EU.
Layer 2 — Data Security

Encrypted everywhere. Siloed by design.

TLS 1.3 in transit. AES-256 at rest. Separate encryption keys per customer — key access is restricted and logged. Bring Your Own Key (BYOK) available for highest-sensitivity deployments.

PII is filtered and redacted at field level before any data reaches a model. Pseudonymisation and data minimisation applied as standard. Every customer's data is completely siloed — not just logically separated, but architecturally isolated.

Layer 3 — AI
Layer 3 — AI Governance

AI that is explainable, auditable and containable.

Every AI-driven decision includes a traceable explanation with feature importance — making it contestable under GDPR Art. 22. Model outputs are audit-ready for BaFin and ECB review from day one. No black boxes.

Geo-restrictions ensure model requests and responses remain within compliant jurisdictions. Sensitive Data Scanner detects PII entering model prompts and applies automatic redaction or alerts before inference.

Your data never trains our models — not in development, not in production, not ever. This is a contractual clause in your DPA, backed by technical controls that make it impossible, not just prohibited.

AI governance controls
Explainability by default
Feature importance for every prediction. GDPR Art. 22 compliant.
EU AI Act conformity assessment
Performed for every high-risk AI module.
AI Risk Assessment
Documented methodology per module. Available on request.
Model registry
Full version history, lineage and governance docs on demand.
Security Controls

Five domains. Independently audited.

Covered in our SOC 2 Type I report. Full documentation in the Trust Center.

Infrastructure
  • Encryption keys restricted & logged
  • MFA enforced, all accounts
  • Prod access restricted
  • Network & firewall controls
  • DDoS protection
  • BC/DR tested annually
Product
  • Secure SDLC
  • 3rd-party pen testing
  • Responsible disclosure
  • Patch management automated
  • SSO/SAML supported
  • Incident response plan
Organisation
  • NDA — all staff & contractors
  • Security awareness training
  • Code of Conduct enforced
  • Risk management programme
  • Anti-malware & endpoint enc.
  • Mobile device management
Data & Privacy
  • DPA signed before processing
  • Data deleted at contract end
  • Data classification policy
  • SCCs for intl. transfers
  • Data subject rights workflows
  • Retention procedures
AI Governance
  • AI Policy & Framework
  • Risk assessment per module
  • Explainability & bias monitoring
  • EU AI Act assessment
  • No-training contractual clause
  • Model registry & lineage
Regulatory Compliance

Every framework that matters to a European bank.

Not just GDPR. The full regulatory stack — built in, not bolted on.

GDPR / DSGVO
Privacy by design. PII filtering, consent management, data subject rights (Art. 15–22). Every AI output explainable under Art. 22. Technical and organisational measures audited.
DORA
ICT risk management documentation, incident reporting workflows, third-party ICT governance, resilience testing. DPA includes DORA-aligned provisions for ICT third-party service providers.
EU AI Act
Conformity assessment per AI module. Risk categorisation, human oversight, bias monitoring and model documentation for high-risk AI system requirements.
MaRisk / BAIT
Data governance, model risk management, IT outsourcing compliance. Supports BaFin AT 7.2 (IT infrastructure) and AT 9 (outsourcing) audit requirements.
BCBS 239 / FINREP / COREP
Regulatory reporting outputs pre-built. Data lineage and aggregation rules aligned with BCBS 239 principles. Full risk data aggregation documentation included.
SOC 2 Type I
Independently audited for security, availability, processing integrity, confidentiality and privacy. Zero exceptions in latest audit cycle. Full report via Trust Center under NDA.
Deployment

Your infrastructure. Your rules.

ACCELERAID runs in your environment — not the other way around.

Option 01
Private Cloud
Single-tenant on Azure Germany North or Google Cloud Frankfurt. Fully isolated infrastructure — no shared resources. BYOK available. Data residency contractually guaranteed in DPA.
Option 02
On-Premises
Full deployment inside your own data centre. No outbound connections required. CDP, AI models, reporting, orchestration — everything runs inside your perimeter. Preferred for highest data sovereignty requirements.
Option 03
Hybrid
Azure, AWS or GCP with European region. BYOK. Standard Contractual Clauses for all international transfers. Flexible architecture — compute in the cloud, sensitive data on-premises.
Enterprise Security Reviews

Our bank clients pass
BaFin audits with us.
We're ready for yours.

17 years in regulated European financial services means we have seen every security questionnaire, every procurement checklist, every IT security review process. The Trust Center has everything your team needs to complete their assessment — without a month of back-and-forth.

SOC 2 Type I report (under NDA)
Penetration test letter
Penetration test attestation letter
Data Processing Agreement (DPA)
Security policy documentation
Sub-processor list

Verified track record

17+
Years in regulated markets
250+
Enterprise deployments
0
SOC 2 exceptions

ACCELERAID is built by a team with 17+ years in regulated European financial services. Our bank clients have successfully passed BaFin, ECB and internal security audits using ACCELERAID — and we have all documentation ready from day one.

Ready to start your security review?

Everything your team needs
is in the Trust Center.

SOC 2 Type I · Penetration test letter · DPA · Policies · Sub-processor list
Powered by SecFix. Available on request.

Open Trust Center ↗ Talk to a Security Expert
FAQ

The questions we get asked most.

Does ACCELERAID train models on my data?
Never. Customer data is never used to train, fine-tune or evaluate any ACCELERAID model. This is a contractual clause in your Data Processing Agreement — and a technical constraint, not just a policy. Your data is used exclusively to operate your instance of the platform.
Where exactly is my data stored?
By default, in Germany — Azure Germany North or Google Cloud europe-west3 (Frankfurt). On-premises and hybrid options are available. Data residency is contractually guaranteed in your DPA. Data never leaves the EU without explicit instruction. Standard Contractual Clauses are included for all international transfers.
What certifications does ACCELERAID hold?
SOC 2 Type I (independently audited, zero exceptions in the latest cycle). The full SOC 2 report is available under NDA via the Trust Center. Additional compliance: GDPR, DORA, EU AI Act, MaRisk/BAIT, BCBS 239.
Can we conduct a vendor security assessment?
Yes — the Trust Center is built for exactly this. Available: SOC 2 Type I report, Penetration test letter, penetration test attestation letter, Data Processing Agreement, security policies and sub-processor list. Contact us for a security briefing call with our technical team — we do these regularly.
How does ACCELERAID handle GDPR Art. 22 for AI decisions?
Every AI-driven decision includes a documented explanation with feature importance, making it explainable and contestable. This is built into the platform architecture — not a post-hoc reporting layer. PII filtering, consent management, data subject rights workflows and data minimisation are all standard. Technically and organisationally audited in SOC 2 Type I.
Is ACCELERAID compliant with DORA?
Yes. ICT risk management documentation, incident classification and reporting, third-party ICT provider governance, operational resilience testing support — all covered. The DPA includes DORA-aligned contractual provisions for ICT third-party service providers under Art. 30.
Can ACCELERAID be deployed fully on-premises?
Yes. Full on-premises deployment inside your own data centre. No outbound data connections required. The complete platform — CDP, prediction models, AI agents, reporting, campaign orchestration — runs within your security perimeter. This is the default choice for institutions with the most stringent data sovereignty requirements.
What happens to our data when we end the contract?
Securely and irreversibly deleted, in accordance with the retention periods specified in your DPA. A data deletion confirmation document is issued on request. ACCELERAID retains no customer data after the contractual relationship ends.
Do you conduct penetration testing?
Yes — regular third-party penetration testing by independent security specialists. The attestation letter is available via the Trust Center. We also operate a responsible disclosure programme for security researchers.