Trust Center

Trust, by design

At offgen.ai (operated by Aithera GmbH, Munich), we build AI tooling for European businesses where security can't be an afterthought. The data our customers and their users entrust to us shapes every engineering, supplier and policy decision we make — not as a constraint, but as the brief itself. EU hosting, ISO 27001 in progress, GDPR by design.

security@offgen.aiPrivacy Policy

Compliance

Where we stand.

ISO 27001

In progress

Our information security management system is being audited against ISO/IEC 27001 — the international benchmark for protecting customer data end-to-end.

GDPR

Active

All data is hosted in the EU and processed in line with the General Data Protection Regulation. Data-subject rights, records of processing, and DPA available on request.

Resources

Documents on request.

Send a short note and we'll share the relevant security artefacts directly. We don't gate these behind a self-serve portal because every document includes a fresh date and signature for your records.

Engagement Letter

Updated recently · PDF on request

Request access

Controls

Controls we operate against.

Mapped to ISO/IEC 27001 Annex A. Each control below is implemented and reviewed as part of our ISMS.

Infrastructure security

  • Information security for use of cloud services

    Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

  • Use of cryptography

    Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

  • Secure authentication

    Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

  • Remote working

    Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

  • Security of network services

    Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

  • Clock synchronization

    The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

  • Application security requirements

    Information security requirements shall be identified, specified and approved when developing or acquiring applications.

Organizational security

  • Determining the scope of the information security management system

    The organization shall determine the boundaries and applicability of the information security management system to establish its scope, considering external and internal issues, the requirements of interested parties, and interfaces and dependencies with other organizations. The scope shall be available as documented information.

  • Security of assets off-premises

    Off-site assets shall be protected.

  • Information security roles and responsibilities

    Information security roles and responsibilities shall be defined and allocated according to the organization’s needs.

  • Segregation of duties

    Conflicting duties and conflicting areas of responsibility shall be segregated.

  • Operation planning and control

    The organization shall plan, implement and control the processes needed to meet information security requirements, establish criteria for those processes, and control planned and unintended changes. Externally provided processes, products and services relevant to the ISMS shall be controlled.

  • Supporting utilities

    Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

  • Cabling security

    Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.

Product security

  • Secure development life cycle

    Rules for the secure development of software and systems shall be established and applied.

Internal security procedures

  • Legal, statutory, regulatory and contractual requirements

    Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet them shall be identified, documented and kept up to date.

  • Protection of information systems during audit testing

    Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

  • Understanding the organization and its context

    The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its information security management system.

  • Understanding the needs of interested parties

    The organization shall determine interested parties relevant to the ISMS, their relevant requirements, and which of those requirements will be addressed through the ISMS.

  • Information security management system

    The organization shall establish, implement, maintain and continually improve an information security management system — including the processes needed and their interactions — in accordance with the requirements of ISO/IEC 27001.

  • Leadership and commitment

    Top management shall demonstrate leadership and commitment by ensuring the policy and objectives are set, integrating ISMS requirements into business processes, providing resources, communicating the importance of effective information security management, promoting continual improvement, and supporting other roles in their areas of responsibility.

  • Organizational roles, responsibilities and authorities

    Top management shall ensure responsibilities and authorities for information security roles are assigned and communicated, including responsibility for ISMS conformance and for reporting on ISMS performance.

  • Information security objectives and planning to achieve them

    The organization shall establish measurable information security objectives at relevant functions and levels, consistent with the policy, taking into account applicable requirements and risk-treatment results, and shall plan what will be done, what resources are required, who is responsible, when it will be completed and how results will be evaluated.

  • Communication

    The organization shall determine the need for internal and external communications relevant to the ISMS, including what, when, with whom and how to communicate.

  • Documented information

    The ISMS shall include documented information required by ISO/IEC 27001 and any further documented information determined as necessary for its effectiveness.

+ 10 more controls in this group

Data and privacy

  • Acceptable use of information and other associated assets

    Rules for the acceptable use, and procedures for handling, information and other associated assets shall be identified, documented and implemented.

  • Classification of information

    Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested-party requirements.

  • Labelling of information

    An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

  • Data leakage prevention

    Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Need a deeper review?

Procurement, IT or compliance teams can reach our security team directly for documentation, questionnaires, or a walk-through.

Email security@offgen.ai