Data sovereignty is the prerequisite. Not the add-on.
KoAssist runs on a fully European tech stack. No US providers, no Cloud Act risk. Hosted in German data centers, language processing via an EU provider. Data stays in Europe, from upload to answer.
What applies to every data path.
No AWS, no Azure, no GCP, no OpenAI. From browser to language model, everything runs on European infrastructure.
ISO 27001-certified German data centers for hosting and indexing. EU provider for language processing. Both European, both ISO 27001-compliant.
On written request, all customer data is fully removed within 48 hours: embeddings, caches and backup references. With deletion protocol.
Where your data lives, who accesses it, what comes back.
.svg.png)
.svg.png){kind=icon}
The user asks a question via the web platform. KoAssist accesses the language model and knowledge base for this, both live within the EU-hosted platform, bounded by the GDPR framework. The knowledge base is fed exclusively from your existing systems such as SharePoint, PDM or ERP. Your data never leaves the EU and never flows into model training.
Five things KoAssist deliberately does not do.
- 01No training of generic foundation models on your engineering data: contractually guaranteed, technically isolated.
- 02No shadow IT risk through private ChatGPT accounts: engineers get an approved, documented channel instead of secretly uploading specs.
- 03No automatic data outflow to other systems. Integrations are explicit per source and per knowledge space.
- 04No hidden sub-processors. Complete list available, changes announced 30 days in advance.
- 05No indefinite data retention. Deletion within 48 hours on request, documented.
Common questions from IT and data privacy.
Which sub-processors are used?
One German hosting provider and one EU language model provider, both ISO 27001-certified. Complete list with roles, locations and specific provider names is part of the security document, available on request.
What does the data processing agreement look like?
Standardized GDPR-compliant DPA per Art. 28 with all typical clauses, TOMs as annex, technical measures documented. Sent on request.
Can we export and delete all data?
Yes. Since your source data stays in your systems, deletion primarily concerns the index, which can be fully removed on request. Conversation history is exportable per user.
Which model providers are used and where do they run?
A European language model provider with EU infrastructure. Specific provider details are part of the security document. On request and for the enterprise tier, alternative model setups are configurable.
Who has access to customer data?
Access to production customer environments is restricted to a small, individually documented group of people at Soneo AI, with audit logs. No third-party access without explicit consent.