Enterprise-grade security. Verifiable.
Data stored in Europe, complete GDPR DPA, no use for AI training guaranteed by contract. An audit record for every critical action.
In summary
In summary
Enterprise-grade security. Documents stored on European cloud infrastructure (Frankfurt, Germany) with encryption in transit and at rest. Data processing fully compliant with the GDPR, governed by a complete Art. 28 DPA, with declared sub-processors and Standard Contractual Clauses where applicable. Customer data is never used to train AI models — guaranteed by contract.
For organizations with particular compliance or confidentiality requirements (regulated sectors, highly sensitive data, dedicated architectures), DeepNeural can be tailored with a dedicated enterprise onboarding path.
Storage in Europe, AI processing under Standard Contractual Clauses.
Documents uploaded to DeepNeural are stored exclusively on European cloud infrastructure. Encryption is active both in transit (TLS 1.2 or higher) and at rest (AES-256).
When you make a request, the context needed for the answer is transmitted to the AI models for processing and returns to the EU. Any transfers outside the EU are covered by the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and, where applicable, by the EU-US Data Privacy Framework.
The complete and contractually binding list of sub-processors is available in the DPA Art. 7. Any changes are subject to 30 days’ notice with a right to object.
Technical and organizational measures, Art. 32 GDPR.
The measures below are the ones declared in the DPA Art. 9 and applied in production today.
Per-organization isolation
Row Level Security at the PostgreSQL level: each organization accesses only its own data. The backend uses the Supabase service role, never exposed to the client.
Encryption everywhere
TLS 1.2+ for client ↔ server communications. AES-256 on data at rest. User passwords protected with bcrypt + salt.
Strict input validation
Zod schemas on every API endpoint. Checking the real MIME type of uploaded files through magic-byte analysis, not just the extension.
Defenses against abuse
Rate limiting per IP and per user on the APIs and AI conversations. Atomic budget reservation to avoid uncontrolled overage. Automatic suspension on missed payment.
Sensitive data scrubbing
Credentials and user content do not end up in the application logs. Sensitive data such as tokens, emails, and payloads are masked server-side before any write.
Principle of least privilege
Our staff does not access customer content except on an explicit support request. Every access is tracked.
Your data does not train the AI models. Guaranteed.
DeepNeural uses frontier AI models from the leading global providers (Anthropic, Google, OpenAI). For all providers, the contractual policy for API access excludes the use of customer data to train the models. You can find it cited in the DPA and in the respective Terms of Service of the providers.
Provider exclusion on request. At the Organization’s request, we can exclude specific AI providers from processing your data. Contact us through the dedicated form to configure your preferences.
The flow is simple. Uploaded documents: stored in the EU. User question: the necessary context is sent to the AI models with encryption in transit, with SCCs coverage for any transfers outside the EU. Answer: it returns to the EU, saved in the customer’s storage. No persistent copies on the AI provider’s side.
Upgrade to next-generation models: managed by us with no intervention from the customer.
Who did what, when, with which AI answer.
Every critical operation on the organization (deleting a profile or organization, ownership transfer, role changes) is recorded in a dedicated audit log with timestamp, actor, and context. AI operations (chat, web searches, document generation, department suggestions) are tracked with user, conversation, model used, and cost.
All documents exported from DeepNeural — DOCX, PDF, XLSX — include, in plain text and in all supported languages, an AI-assisted nature disclaimer. It is hardcoded into the code and cannot be removed from the interface. It is designed for contexts where traceability of the nature of the content is a professional safeguard (law firms, Public Administration).
For those with requirements the standard product does not cover.
For organizations with particular compliance or confidentiality requirements (regulated sectors, highly sensitive data, dedicated architectures), DeepNeural can be tailored with a dedicated enterprise onboarding path.
We reply within one business day, with a written answer signed by our team. Tell us what you need and we’ll tell you whether we can do it.
Service level for the dedicated tiers.
The contractual SLA (99.5% uptime, email support within 24 business hours, RTO 4h, RPO 24h) is included for Public Administration and enterprise organizations. For the paid public tiers (Starter / Growth / Scale), email support responds within 8 business hours; the operational level follows the same technical standards as the dedicated tiers.
- Monthly uptime
- 99.5%
- Email support
- 24h
- RTO
- 4h
- RPO
- 24h
business hours
Recovery Time Objective
Recovery Point Objective
Everything readable before you sign.
The documents are public and downloadable directly from this page, without registration. The Italian version is legally binding; translations into other languages are provided as a courtesy.
- Data Processing Agreement (DPA)
Complete GDPR Art. 28. Sub-processors, SCCs, technical measures, data breach management.
- Privacy Policy
Thirteen GDPR-compliant sections. Data subject rights, retention, DPO contacts.
- Terms of Service
Eighteen B2B articles. Liability limits, AI disclaimer, suspension, cancellation.
- Cookie Policy
Technical cookies always on. Consent banner for Google Analytics: you can accept all or only the necessary ones. No advertising profiling trackers.
The questions from the DPO, the IT lead, the compliance officer.
On European cloud infrastructure, with encryption in transit via TLS 1.2+ and at rest via AES-256. Documents stay in the EU for storage; for AI processing, the necessary context is transmitted to the models under Standard Contractual Clauses.
No, never. This is contractually guaranteed by all the AI providers we use (Anthropic, Google, OpenAI) for API access. You can find it in our DPA and in the Terms of Service of the respective providers.
Notification to the Controller within 72 hours of becoming aware of it, pursuant to Art. 33 GDPR. Notification to data subjects if the risk is high (Art. 34). Procedure documented and contractualized in DPA Art. 10.
Yes. Through a request to support, we carry out the full export within 30 days. Uploaded documents are in any case always downloadable directly from the interface.
Yes. Self-service from the Account → Danger Zone area. Deleting the organization has a 30-day cooling period to allow for reconsideration; deleting the profile is immediate. Backup copies are excluded and are removed at the next rotation cycle.
Documents are stored exclusively in the EU. To generate answers, the necessary context is transmitted to the AI models under Standard Contractual Clauses (SCCs). The data is not retained by the AI providers for training.
Yes. At the Organization’s request, we can exclude specific AI providers from processing your data. Contact us through the dedicated form to configure your preferences.
For each document, one of three levels is set: the whole organization, only the responsible departments, or specific members. The four roles (Owner, Admin, Manager, Member) only see what concerns them. Our staff does not access customer content except on an explicit support request.
Service suspended on missed payment (day 0) with data in read-only mode. Automatic notices at 7, 15, 30 days. Permanent deletion on day 37. You always have 37 days to download everything or reconsider the cancellation.
Still have doubts about security? Talk to us first.
Security reviews take time. Send us an email with your specific requirements, read the DPA at your own pace, then we decide whether to proceed.