Security & Trust
Last updated: 17 June 2026 · Pilot phase
1. Operating Posture
Aram Algorithm operates in pilot phase as a US sole proprietorship (Kansas, USA), with a planned reorganisation into a German UG (haftungsbeschränkt) or GmbH no later than the third paying client. The service is engineered around de-identification by construction: clients run the intake locally; only an anonymised case YAML (no names, no employee IDs, no birth dates, no Aktenzeichen above LAG level) is transmitted to the controller. Raw evidence and the identity of the data subject remain on the client’s device.
2. Sub-Processors
The following sub-processors are engaged for the website and the pilot review workflow. All transfers from EU data subjects are covered by Standard Contractual Clauses (SCCs) and a Transfer Impact Assessment available on request.
| Sub-processor | Purpose | Region | Transfer mechanism | Status |
|---|---|---|---|---|
| Cloudflare, Inc. | Website delivery, DDoS protection, server logs | USA (global CDN; EU edges preferred for EU visitors) | SCCs Module 2, EU-U.S. DPF, supplemented by TIA | Live |
| Calendly, Inc. | Scheduling briefing calls (name, email only) | USA | SCCs Module 2, EU-U.S. DPF, supplemented by TIA | Live |
| Bunny.net (BunnyCDN s.r.o.) | Privacy-preserving web font delivery (no IP logging) | Slovakia, EU | Intra-EU; no third-country transfer | Live |
| GitHub, Inc. | Source-code hosting (no client data) | USA | SCCs Module 2, EU-U.S. DPF | Live |
| Controller laptop (Kansas, USA) | Pilot-phase YAML review & report generation | USA | SCCs Module 1 (Controller-to-Controller); to be relocated to EU on entity reorganisation | Live |
| EU compute (planned) | Single-tenant, encrypted-at-rest review environment | Frankfurt am Main, Germany | Intra-EU; activates on entity reorganisation | Planned |
Changes to this list are reviewed before each release and announced to active clients in writing. Material additions trigger the audit-rights and right-to-object procedures in the DPA.
3. Technical & Organisational Measures (TOMs)
- Encryption in transit: TLS 1.2+ on all public endpoints; HSTS enforced; HTTP-to-HTTPS redirect at the CDN edge.
- Encryption at rest: Client YAMLs are stored encrypted with per-engagement keys; keys held only on the controller’s reviewing device under full-disk encryption.
- Access control: Named personnel only (currently: founder); two-factor authentication on all service accounts; written confidentiality obligation referencing § 203 StGB and § 43e BRAO style duties.
- Logging: Access to client YAMLs is logged with timestamp, action, and operator identity; logs retained for the engagement lifetime plus 12 months.
- Retention & erasure: Client YAMLs are deleted within 30 days of report delivery unless the client requests retention in writing; cryptographic erasure on key destruction.
- No model training: No client data — including de-identified YAML — is ever used to train, tune, fine-tune, or evaluate any machine-learning model.
- Backups: Engagement-scoped only; encrypted; same retention as primary store.
- Vulnerability management: Dependencies reviewed before each release; security headers (CSP, HSTS, Referrer-Policy, Permissions-Policy) enforced at the edge.
- Incident response: Personal-data breach notification to the affected client within 72 h of becoming aware; root-cause memo within 14 days.
4. Data Processing Agreement (Art. 28 GDPR)
A DPA referencing the SCCs is signed with every client before any processing of personal data begins, including the pilot phase. It covers: subject-matter and duration, nature and purpose, categories of data and data subjects, controller obligations, audit rights, sub-processor consent, incident-notification SLA, return and erasure on termination, and liability allocation.
5. EU AI Act — Article 14 Human Oversight
Aram Algorithm is positioned as a decision-support tool under Art. 6(3) EU AI Act, used by legally qualified human reviewers. Meaningful human oversight (Art. 14) is provided by: deterministic, citable rules (not opaque inference); per-gate evidence anchors; explicit failure modes; and a reviewer who must accept, reject or escalate every machine-suggested finding before it reaches the client report. The Article 14 oversight one-pager is available on request.
6. Certifications
Aram Algorithm does not currently hold ISO 27001, SOC 2, BSI C5 or TISAX certification. A pursuit programme is planned to start after the second paying client and to target the first certification (likely BSI C5 Type 1 or ISO 27001) within twelve months of the German entity reorganisation. Until then, this Security & Trust page, the DPA and the TIA constitute the documented assurance posture.
7. Contact
Security questions and DPA / TOM / sub-processor list requests: mano@aramalgorithm.ai. Personal-data breach notifications to clients are sent from the same address.