How INXM protects your data.

01

Hosting and data residency

All INXM customer data is processed and stored within the European Union. Our primary hosting region is Frankfurt, Germany; secondary regions are within the EU only. Data never leaves the EU perimeter without your explicit, documented consent.

Infrastructure providers are vetted for GDPR alignment, audited at least annually, and bound by Standard Contractual Clauses where applicable.

02

Encryption

In transit

All traffic to and from INXM is encrypted with TLS 1.3 (HSTS enforced). Legacy protocols (TLS 1.0/1.1, SSL) are disabled.

At rest

Customer data at rest is encrypted with AES-256-GCM. Encryption keys are managed by a dedicated KMS with quarterly rotation and least-privilege access.

Secrets

API tokens, credentials, and sub-processor secrets live in a hardware-backed vault. No secrets in source code or environment variables.

03

Access controls

Every internal access to customer data is logged with operator identity, system, and intent. Production access requires hardware-key MFA and approval from a second engineer. Standing access is granted on a least-privilege basis and reviewed quarterly.

Customer-facing access uses single sign-on with your IdP (OIDC / SAML). Role-based access control inside Orchestrator maps to your existing org structure.

04

Audit logs and Plan lineage

Every Plan execution is logged from intent → compile → approve → execute → result. Each step records operator, system, inputs, outputs, and a content-addressed hash. The audit trail is immutable, exportable, and built for the kind of regulator inquiry European industrial enterprises actually face.

05

Sub-processors

INXM maintains a current list of sub-processors used to deliver the service. The list is available on request and is updated before any new sub-processor begins processing customer data. Customers can object to a new sub-processor under the terms of the Data Processing Agreement.

Write to hello@inxm.ai for the current list.

06

Backups and resilience

Customer data is backed up daily with point-in-time recovery for the last 30 days. Backups are encrypted with separate keys from production. Disaster-recovery exercises are run at least semi-annually.

07

Incident response

Security incidents are triaged 24/7 by on-call engineers. Confirmed personal-data breaches are reported to affected customers and the competent supervisory authority within 72 hours, in line with Art. 33 GDPR.

Report a suspected vulnerability or incident to security@inxm.ai.

08

Compliance

INXM is built to align with:

• GDPR — full data subject rights, EU-only processing, documented sub-processors, DPA on request.
• EU AI Act — Compiled-AI design supports the transparency, auditability, and human-oversight obligations the Act expects.
• Industry frameworks — alignment with ISO/IEC 27001 controls; SOC 2 program in progress.

The Data Processing Agreement, sub-processor list, and audit-readiness package are available on request.

09

Contact