Skip to main content

Documentation Index

Fetch the complete documentation index at: https://documentation.deepmask.io/llms.txt

Use this file to discover all available pages before exploring further.

DeepMask is a sovereign European AI workspace built with enterprise security requirements as a first principle, not an afterthought. Your data stays in the EU, is encrypted in transit and at rest, and is never used to train AI models. This page covers what that means in practice: the compliance certifications we hold and are working toward, how data is stored and processed, and the infrastructure partners that underpin our hosting.

Security pillars

GDPR compliant

DeepMask is fully aligned with the General Data Protection Regulation. Your data is processed according to GDPR principles: lawfulness, purpose limitation, data minimization, and user rights. We do not transfer personal data outside the EU.

ISO 27001 (in progress)

ISO 27001 certification is currently in progress. This internationally recognized standard for information security management systems sets the framework for how we manage risk, control access, and respond to incidents across the organization.

No model training on user data

Your conversations, uploaded files, and project data are never used to train, fine-tune, or improve any AI model—by DeepMask or by any underlying model provider. This applies permanently and without exception.

Enterprise-grade encryption

All data is encrypted in transit using TLS and encrypted at rest using AES-256. This covers conversations, files, project instructions, and any other data you store or transmit through DeepMask.

EU data residency

DeepMask enforces strict data residency controls. Your data is processed and stored within the European Union, with German sovereign cloud infrastructure as the primary hosting environment.

Sovereign cloud infrastructure

Primary hosting runs on StackIT, the German sovereign cloud operated by Schwarz Group—one of Europe’s largest infrastructure providers. This means your data is not subject to US cloud provider jurisdiction or extraterritorial data access laws.

EU hosting infrastructure

DeepMask operates across a layered EU infrastructure designed for redundancy, compliance, and sovereignty.

StackIT — primary cloud and LLM hosting

StackIT is the German sovereign cloud operated by Schwarz Group, the corporate group behind Lidl and Kaufland. It is DeepMask’s primary hosting partner for both cloud infrastructure and select LLM inference. Data processed on StackIT stays within Germany and is governed by German and EU law, not US cloud provider terms. Certain EU-hosted models—including Qwen3 (StackIT), Gemma 3 27B (StackIT), and GPT-OSS 120B (StackIT)—run directly on this infrastructure.
For select models not natively hosted on StackIT, DeepMask routes inference through EU-region deployments to ensure data processing remains within the European Union. This covers redundancy scenarios and scalability requirements while maintaining the same data residency guarantees.
Additional model endpoints are served through infercom’s EU-hosted infrastructure with strict data residency controls. These endpoints provide access to additional models in the DeepMask catalog while keeping all inference within EU jurisdiction.
Models labeled “(StackIT)” or “(DeepMask)” in the model selector run on EU-sovereign infrastructure. You can identify these in the model list—for example, Kimi K2 (DeepMask), Qwen (DeepMask), Qwen3 (StackIT), Gemma 3 27B (StackIT), and GPT-OSS 120B (StackIT).

GDPR compliance in detail

Being GDPR compliant means specific obligations are met at the infrastructure, product, and contractual level.
Enterprise customers receive a Data Processing Agreement (DPA) that documents how DeepMask processes personal data on your behalf, in line with GDPR Article 28 requirements. Contact the sales team to request a DPA for your organization.
DeepMask supports GDPR data subject rights including the right to access, rectify, and erase personal data. Requests can be directed to contact@deepmask.io.
DeepMask does not transfer personal data to countries outside the EEA without appropriate safeguards. Our primary infrastructure (StackIT) and EU-region deployments ensure data stays within EU jurisdiction by default.
Data you submit to DeepMask is used solely to provide the service—to generate AI responses in your workspace. It is not analyzed for advertising, used for model training, or shared with third parties for their own purposes.

ISO 27001 certification

ISO 27001 certification is currently in progress. DeepMask operates according to ISO 27001 principles and is actively undergoing the certification process. We will update this documentation when certification is formally achieved.
ISO 27001 defines a systematic approach to managing sensitive company and customer information. Our certification process covers risk assessment, access control policies, incident response procedures, and supplier security management. Enterprise customers who require evidence of our security posture during the certification period can request supporting documentation from the sales team.

Questions and enterprise security reviews

For security questionnaires, DPA requests, penetration test reports, or any compliance-related inquiry, contact contact@deepmask.io. For organizations requiring a dedicated security review session, book a 30-minute call with the team. We respond to all enterprise inquiries within 42 hours.