Data Security
and Compliance
The controls behind the deployment: office boundary, RODO/GDPR, EU residency, encryption, audit trail, no training, and exit.
Office boundary — one deployment, one kancelaria.
The first deployment is single-office by design: one edge server, one local database, one local index, and one audit trail for that kancelaria. Client data is not pooled across offices. Internal matter-level access control can be added later for offices that need it, but it is not required for the first deployment model.
- Single-office edge deployment
- Separate local store and index per client
- No shared central case database
- Local audit trail for reads, queries, and generated outputs
- Matter-level ACL available as a later hardening option
RODO / GDPR — by design, not bolted on.
Data-protection obligations are reflected in the deployment shape before they are described on paper. The first deployment pack includes a DPIA worksheet, a data-processing agreement, and a sub-processor list. The durable client record stays on the edge.
- DPIA worksheet · prepared for bailiff-office workflows
- Data Processing Agreement · PL & EN
- Right-to-erasure procedure · file and case level
- Sub-processor list · short, current, EU-only
- EU-EU processing path
EU residency — index on-prem, inference in Germany.
The index sits on hardware inside your office. Standard inference runs on Hetzner servers in Germany, under a contract governed by EU law. A separate enterprise package can move inference onto client premises.
- Index location: your edge server
- Standard inference location: Hetzner Online GmbH · Germany
- Enterprise inference location: your premises
- Backup / DR: EU-only, encrypted, on your edge server
CLOUD Act — out of scope, structurally.
No US provider sits anywhere in the stack — not just for client data, but across the whole product and engineering supply chain. Bare metal, inference, billing, operations tooling, internal SaaS tools — every layer runs on an EU vendor. We are happy to walk through the supply chain on the call.
Encryption — at rest on the edge, encrypted in transit.
- Encrypted local volumes for the edge store
- TLS / NetBird-protected path to EU inference
- Key handling and restore runbook included in the deployment pack
Audit — every query and generated output stays reviewable.
The first deployment records user, action, case reference, retrieval mode, inference transit metadata, and generated-output events on the edge server. Payload logging is avoided; the audit trail is for accountability, debugging, and DPO review.
No training on your data — architectural, not just contractual.
The inference server runs in inference-only mode; weights are read-only and pinned per release. Training data pipelines do not exist on this infrastructure. The contract states it; the architecture makes it true.
Exit — clean offboarding, certified wipe.
On cancellation, the office exports what it must retain — audit log copies, generated reports, summaries, and configuration. The edge device is wiped according to the deployment runbook. Because client case data is not stored centrally, offboarding does not require a central data purge.
A DPO can read this.
So can an inspector.
Every hop, every role change, every transit — appended on your edge server, signed, exportable. Below: a realistic excerpt from a typical office day.
2026-04-22T09:14:03+02:00 user=jkowalski action=query case=KM/2024/0123 scope=local-only bytes_out=0 2026-04-22T09:14:18+02:00 user=jkowalski action=summarize case=KM/2024/0123 scope=eu-gpu tokens_out=412 tokens_in=298 2026-04-22T09:14:18+02:00 system action=transit peer=eu-gpu-01 tls=1.3 sni=gpu.lexindex.eu 2026-04-22T09:14:21+02:00 system action=receive bytes_in=2104 persisted_remote=false 2026-04-22T09:18:44+02:00 user=anowak action=qa case=KM/2023/0871 scope=local-only bytes_out=0 2026-04-22T11:02:09+02:00 admin=mwitkowski action=role.set target=anowak role=komornik-asystent 2026-04-22T17:30:00+02:00 system action=log.sign range=09:14..17:30 sig=ed25519:7f3a...b2c0
On your edge server.
Append-only by service account. Backups are encrypted before leaving the edge environment.
You set it.
The deployment starts with a conservative retention policy and can be adjusted with your DPO.
CSV · JSON · signed PDF.
For your DPO, your KRK inspection, or your own quarterly review.