At GermanAI Defense, security is not a feature β it's the foundation. This page lays out exactly what we hold ourselves accountable to: audited, accredited, documented.
Five standards we hold ourselves to. We are formally certified to one of them (ISO 27001). For the other four, we are compliant or ready β and we don't claim anything we can't substantiate.
Formally certified to ISO/IEC 27001:2022 since May 2026. Auditor: A-Mark Ratings Limited, accredited by UAF and IAF. Certificate No. 26052601, valid until 25 May 2029.
Fully GDPR compliant with a documented Record of Processing Activities (Art. 30), a Data Processing Agreement template, technical-organisational measures (TOM) per Art. 32, and a designated Data Protection Officer.
All production data and workloads remain in German datacenters (Hetzner, Nuremberg). No US cloud provider, no CLOUD Act exposure, no third-country transfers without explicit agreement.
Our own cyber-resilience measures meet NIS 2 requirements: risk management, incident reporting, supply-chain security, business continuity and recurring effectiveness reviews β what we advise others, we live ourselves.
Our AI systems are risk-classified, documented and operated to audit-ready standards. Human oversight, transparency obligations and technical robustness per EU AI Act are built in β including for client projects.
SOC 2 (US standard, not relevant to our EU target customers). BSI C5 β we do not hold this currently. ISO 27017 / 27018 β we do not hold these currently. We communicate certifications transparently, without pseudo-seals.
Our architecture follows the defense-in-depth principle: encryption, access control, network segmentation, monitoring β at every layer.
AES-256 for data at rest. TLS 1.3 for data in transit. Key management aligned with ISO 27001 controls, separated from application data.
MFA mandatory for all staff. Role-based access (RBAC). Privileged access tracked separately and audited on a regular cadence.
No implicit trust β every request is verified. Network segmentation, micro-segmentation for critical workloads, just-in-time access.
Hetzner datacenter Nuremberg. Redundant power, biometric access control, ISO 27001 + GDPR compliant operator.
In-house SOC team in Germany. Continuous monitoring, SIEM-backed detection, documented escalation and incident response playbooks.
Encrypted backups, geographically separated within the EU. Routine restore tests. Recovery-time objectives documented.
Privacy at GermanAI Defense isn't cookie-banner theater β it's a documented operating program. Our GDPR implementation covers the full obligations stack, from processing records to third-country review.
Security monitoring isn't an outsourcing topic for us β it's core business. In-house analysts, in-house tooling, in-house data flows, fully inside the EU.
Centralised aggregation of all security-relevant logs. Correlation rules aligned with MITRE ATT&CK. Retention per statutory requirements.
EDR on every endpoint. Documented incident-response plan with clear escalation tiers and response time targets.
Regular vulnerability scans. Risk-based prioritisation. Patch management with SLAs by criticality.
Need our DPA, want to review a TOM document, or have questions about our ISO 27001 certification? Drop us a line β typical response within 2 business days.
Email info@germanaidefense.com β
Go deeper: Information Security Policy Β· Privacy Policy Β· GRC & Compliance Consulting
