Security & data protection

A reference for the questions IT, security and data-protection teams ask before integrating axite. If you need the formal documents — Data Processing Agreement (DPA / AVV), the full technical and organizational measures (TOMs), the subprocessor list, or the SLA — your axite contact can provide them.

At a glance

EU-hosted · encrypted in transit and at rest · your data is not used to train general AI models · the impact-tracking tag collects no personal data and needs no cookie consent · GDPR-aligned · full data export on request.

Hosting & data residency

Cloud SaaS, operated by AX Semantics GmbH.
Hosted exclusively in the EU, on ISO 27001-certified infrastructure — AWS (EU / Ireland) and Microsoft Azure (West Europe / Germany).
All processing happens within the EU, including AI generation. No transfer to third countries.

Encryption

In transit: TLS 1.2 or higher.
At rest: AES-256.
Key management: AWS KMS.

AI models & subprocessors

axite runs a declarative engine: you declare intent and rules, and foundational models within the engine do the writing. The engine is model-agnostic, and the models run within the EU.
Your data is not used to train general-purpose models. Content and source data you provide stay scoped to your organization.
Core subprocessors are EU-based cloud and model providers. The complete, current subprocessor list is available on request.

Technical & organizational measures (TOMs)

The measures below are documented in full in the TOM document, available on request. In summary:

Area	Measures
Physical access	Cloud infrastructure in ISO 27001-certified EU data centers; physical security handled by the hosting providers.
System access	Encrypted administrative access (SSH / TLS), multi-factor authentication, role-based permissions, regular access reviews.
Data access	Strict tenant separation — each customer sees only their own data, keyed by unique customer and content identifiers; access logging.
Transmission	HTTPS / TLS for all transfers; processing on EU servers only; no transfer to third parties or third countries.
Input	Event data is captured automatically; no manual entry or modification; system logs record processing.
Instruction	Processing only on the customer's behalf; axite does not use the data for its own purposes.
Availability	Redundant infrastructure, regular backups, monitoring and alerting, disaster-recovery concept.
Separation	Logical tenant separation by customer-specific identifiers; data of different customers is never merged.

Impact tracking & the axite Tag

The optional impact-tracking script — the axite Tag — is built around data minimization. It does text tracking, not user tracking.

No personal data. The tag collects only text-related metrics: views, visits, conversion events, the displayed text, and page context (URL path, referrer). No user profiles, no fingerprinting, no cross-site correlation.
IP anonymization. IP addresses (unavoidably transmitted by TCP/IP) are anonymized immediately on receipt, in memory, and never stored in full.
Only functional cookies. No analytics or marketing cookies. Impact tracking uses securely hashed, server-side session tokens that can't be traced back to a user.
Optional functions stay in the browser. Personalization (Motivational Typologies), content experiments (A/B testing), and content hosting (CDN delivery) process no personal data in the axite Cloud — variant assignment and classification happen locally in the visitor's browser; only the result (the shown variant, the impact on text performance) is reported back.

No cookie-banner consent required. Under § 25(2) TDDDG the tag needs no consent, because it uses only functional / strictly necessary cookies and does not access the user's device for analytics purposes. It can be loaded before the cookie banner.
Lawful under the GDPR on the basis of the website operator's overriding legitimate interest (Art. 6(1)(f) GDPR) — improving content — combined with immediate IP anonymization and strict data minimization.
No DPA obligation. Because no personal data is processed (IPs are anonymized at once), there is no obligation to conclude a DPA under Art. 28 GDPR. A simplified DPA is available on request.
For transparency we recommend a short notice in your privacy policy; a German and English template is available.

See the Data protection FAQ for the detailed answers Legal and Compliance teams usually need.

Access & data control

Role-based access within an organization; billing and access are scoped to the organization.
API access uses per-engine API clients with credentials you control and can revoke. See Authentication.
Data export: a full export of your data is available, including at the end of a contract.

Compliance documents

Available from your axite contact:

Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag, AVV) — a simplified AVV is available even though one isn't strictly required for the tag.
Technical and organizational measures (TOMs) — the full document.
Subprocessor list.
Service Level Agreement (SLA).

TIP

We don't gate this behind a sales call. If your evaluation needs the formal documents, just ask your contact and they'll share them.

Contact

AX Semantics GmbH · Nordbahnhofstraße 115, 70191 Stuttgart, Germany Data protection officer: by post to the address above · Support: [email protected]

Security & data protection ​

Hosting & data residency ​

Encryption ​

AI models & subprocessors ​

Technical & organizational measures (TOMs) ​

Impact tracking & the axite Tag ​

Cookies & consent ​

Access & data control ​

Compliance documents ​

Contact ​