This page answers what data-protection officers, IT leads and works councils check before a call. No form, no registration. What is written here is binding language, not a marketing version.
ARCHITECTURE
Where does Actio process data?
Exclusively on servers inside your network. The agents, the language models and every processing step run on a GPU server in your data center. There is no cloud component, no telemetry, and no remote maintenance without documented approval.
After installation the system works without an internet connection. Updates ship as packages and are installed by your IT. A remote shutdown or deactivation is not technically provided for.
§ 203 STGB
Professional secrecy
In routine operation Actio has no access to patient data or other protected secrets: processing happens entirely inside your building. The 'assisting person' question under § 203(4) StGB therefore only arises for maintenance and support cases.
For those cases the contract includes a confidentiality undertaking and a template agreement under paragraph 4, with a documented approval process for every access.
§ 393 SGB V / C5
Cloud rules for health data (Germany)
Since 1 July 2025, § 393 SGB V requires a BSI C5 attestation and processing within Germany or the EU/EEA for cloud processing of health data.
For Actio this requirement does not apply: there is no cloud processing. That single sentence replaces the entire C5 documentation chain in your review.
ART. 28 GDPR
Roles and data processing agreements
With on-premise operation your organization remains the sole controller under the GDPR. Routine operation requires no processing of patient data by Actio, because Actio does not process that data.
For maintenance access where contact with personal data cannot be ruled out, a DPA template under Art. 28 GDPR is included. The technical and organizational measures are documented in the dossier.
§ 87 BETRVG / § 96 ARBVG
Works-council co-determination
Software objectively capable of monitoring performance is subject to co-determination: § 87(1) no. 6 BetrVG in Germany, § 96 and § 96a ArbVG in Austria.
Actio is built so that it stores and evaluates no performance or behavior metrics of individual employees. Meeting transcripts are not analyzed per person after processing. We provide a template works-council agreement that fixes exactly this, ready for your negotiation.
AI ACT ART. 6(3)
EU AI Act: deliberately outside the high-risk class
Annex III of the AI Act classifies AI that evaluates or filters job applications as high-risk. Actio's application agent therefore checks completeness only: it reports which documents are missing and produces no rankings, no scores and no profiles. That is a narrow, preparatory task in the sense of Art. 6(3).
Following the June 2026 omnibus, Annex III high-risk obligations apply from 2 December 2027. The documented Art. 6(3) self-assessment is part of the dossier, so your review does not have to rest on an assertion.
CERTIFICATIONS
The honest status
ISO 27001: in preparation, certification planned for 2026. External penetration test: in preparation (2026). We state this plainly because presenting unfinished certificates as badges is exactly the practice this audience distrusts.
Until then, the architecture itself is the strongest control. Data that never leaves the building requires no advance trust in an external operator.