Trust Center
Your data. Verifiable, not assumed.
itsAI runs on Danish infrastructure with independently-audited security controls. The table below lists every control we promise — green when it's shipped, "coming soon" when it's on our roadmap. Logged-in users see the same status live at /safe; this page is the public mirror.
EU data residency
All itsAI data is stored on hardware physically located at Digital Realty, Ballerup, Denmark — Denmark's most secure datacenter, operated by it's IT A/S. No third-country data transfers in the storage layer.
Inherited certifications
The hosting layer is covered by ISAE 3402 Type II (BDO), ISO 27001 and ISO 27002, all held by our hosting provider it's IT A/S. Application-layer SOC 2 Type II and ISO 27001:2022 are on our roadmap.
Honest disclosure
Every control we describe in our privacy policy and DPA matches the code that's running. Items still on the roadmap are explicitly labelled — the matrix below is the source of truth.
Controls inventory
Live status. Updates immediately when a control ships or its health changes.
Encryption
| Data class | At rest today | In transit |
|---|---|---|
| Passwords | Argon2id with deployment pepper (no reversible storage) | TLS 1.2+ |
| OAuth + integration tokens | AES-256-GCM with ITSAI_ENCRYPTION_KEY | TLS 1.2+ |
| Session refresh tokens | SHA-256 hash; raw tokens never persisted | TLS 1.2+, HttpOnly + Secure + SameSite cookie |
| API keys | SHA-256 hash | TLS 1.2+ |
| Mail bodies, brain entries, attachments, scraped pages | Not yet column-encrypted (on the roadmap). Protected by tenant isolation, restricted access, and audit logging until then. | TLS 1.2+ |
| Backups | Backup-at-rest encryption on the roadmap. Backup media restricted to named operators. | TLS to the backup host |
Sub-processors (infrastructure)
Companies that process customer data on itsAI's behalf, outside of LLM inference (see the LLM provider set below for that). Each is bound by a data processing agreement. Changes are announced to controllers at least 30 days in advance via the DPA notification channel. The authoritative list — including the active LLM partners — lives in DPA Annex II.
| Sub-processor | Purpose | Region |
|---|---|---|
| it's IT A/S | Infrastructure hosting + SMTP relay (intra-group; same owner as itsAI ApS — disclosed) | Denmark · EU |
| Cloudflare | Edge / CDN, Tunnel ingress, DDoS + WAF, DNS | Global edge · EU termination |
| Microsoft (MS Graph) | Optional — when you connect an Outlook / OneDrive / Calendar account | Customer-selected (typically EU) |
| Stripe | Billing + payment processing. Card data NEVER touches itsAI. | USA · EU subsidiary |
LLM provider set
itsAI is built on the principle that no single LLM provider should see a complete picture of any user.Requests are routed across many providers — each chosen per task on capability, cost, latency, regional fit, and contractual non-training posture. Splitting the traffic this way means that even in the worst case where one provider were compromised, only a fragment of your work would be exposed.
Below are examples of the itsai.dk integrations — providers in the evaluated set. The specific subset active at any moment is operational and is not published; the formal list of active sub-processors at any given time is disclosed to controllers in DPA Annex IIand updated with 30 days' notice before any change.
Frontier model providers
- 01.AI
- Aleph AlphaEU · DE
- Alibaba Qwen
- Anthropic
- Cohere
- DeepSeek
- Google Gemini
- Inflection
- Meta Llama
- Mistral AIEU · FR
- OpenAI
- Perplexity
- Reka AI
- xAI
Inference + hosting
- AWS Bedrock
- Azure AI Foundry
- Fireworks AI
- Groq
- Hugging Face Inference
- LightOnEU · FR
- OpenRouter
- Replicate
- Together AI
Embeddings + specialised
- Jina AI
- NVIDIA NIM
- Snowflake Cortex
- Voyage AI
- IBM watsonx
Disclosure: intra-group hosting
it's ai ApS (CVR 46 46 47 37) and it's IT A/S, our hosting provider, share an ultimate beneficial owner. The hosting relationship is intra-group, not arms-length. We disclose this here so you can factor it into your assessment. It is the reason itsAI inherits genuine ISO 27001 / ISAE 3402 controls at the infrastructure layer — and the reason we are not arms-length about claiming so.
Breach notification commitment
If we become aware of a personal-data breach affecting your data, we notify you via email and an in-product banner within 48 hours of awareness — stricter than the 72 hours required by GDPR Article 33. Full terms in the DPA §4.6.
Security contact
Security questions, vulnerability reports, breach disclosures, or controller-side compliance queries: privacy@itsai.dk. We acknowledge every report within one business day.