Security & Architecture

This page summarises what your IT leadership, DPO, and auditor need to make an informed decision about an Actio pilot. It does not replace a technical call — it makes that call more efficient.

A standard page request to actio-agents.com travels through four steps:

• Browser → Vercel Edge (EU, e.g. Frankfurt or Paris) over TLS 1.3

• Vercel Edge → Vercel serverless function (Node.js 22, EU region)

• Serverless function → Resend (USA, EU-US DPF) to deliver pilot-request emails

• Resend → Actio team inbox

For a pilot deployment in a hospital context, the agent runtime runs either in a dedicated EU region on Vercel or — on request — entirely within your own infrastructure (on-premises).

We use exactly two sub-processors to operate the marketing website and receive pilot requests:

Vercel Inc. — hosting, edge network, and serverless runtime. Located at 440 N Barranca Ave #4133, Covina, CA 91723, USA. Certifications: EU-US Data Privacy Framework, SOC 2 Type II. Data-processing agreement per Art. 28 GDPR in place; standard contractual clauses per Art. 46 GDPR additionally.

Resend, Inc. — transactional email delivery for pilot requests. Located at 2261 Market Street #4667, San Francisco, CA 94114, USA. Certifications: EU-US Data Privacy Framework. DPA per Art. 28 GDPR in place; SCCs additionally.

We additionally use Vercel Web Analytics (same provider, cookieless, no storage on device) for aggregated reach measurement. No other services (CRM, support tools, third-party analytics) are currently used. Any extension of this list will be announced transparently in the privacy policy.

• GDPR (Art. 5–32): architecture designed for European data-protection law, not certified after the fact.

• Data-processing agreements: standard with every sub-processor (Art. 28 GDPR).

• Standard contractual clauses (SCCs): for every third-country transfer (Art. 46 GDPR).

• EU data residency: default setup runs entirely in EU regions.

• On-premises option: full operation behind your firewall available.

• ISO 27001: scoping planned for Q3 2026.

• MDR (Medical Device Regulation): review for clinical use cases in progress; Actio agents make no medical decisions, which significantly simplifies MDR classification.

• Cookies: this marketing site sets no cookies. Reach measurement is cookieless and aggregated only (Vercel Web Analytics).

• Transport: TLS 1.3 mandatory for all connections.

• Authentication: for on-prem deployments, SSO via SAML/OIDC (Azure AD, Okta etc.). For SaaS deployments, MFA mandatory for all admin roles.

• Access control: role-based (RBAC) — separate roles for physicians, administration, and read-only viewers.

• Audit logs: every agent decision is logged, timestamped, and exportable — ISO- and MDR-ready.

• Rate limiting: API and form endpoints with IP-based throttling and honeypot protection.

• No medical decisions: every agent output is presented to the responsible physician or administrator for approval — mandatory, not optional.

We integrate via standardised HL7 and FHIR interfaces. No migration of your core software, no replacement of your existing hospital information system. Actio runs alongside it and operates on structured data objects from your HIS.

Typical integration time from contract signing to live pilot: two weeks — including GDPR sign-off by your IT and completion of the data-processing agreement.

For your due-diligence review, we provide:

• Data-processing agreement (DPA) template per Art. 28 GDPR

• Technical architecture dossier (PDF)

• Security questionnaire in SIG-Lite format

• Current list of all sub-processors with certification evidence

• Penetration-test report (planned Q3 2026; letter of engagement available earlier on request)

Request via david.rehrl@thesolvia.com or via the pilot form with the keyword "Security Dossier".

All security-relevant reports, including vulnerability disclosures and potential incidents, please send to david.rehrl@thesolvia.com.

For acute incidents during an active pilot, reach the founder directly by phone: +43 660 2350039.

We respond to security reports within 24 hours on business days.