Security, privacy & compliance

Private AI infrastructure built around control and responsibility.

Dooblux designs and manages dedicated AI environments for organizations that require greater control over their data, infrastructure and AI operations. Privacy, security and GDPR responsibilities are incorporated into the way these environments are designed, deployed and maintained.

01

Dedicated environments

Customer environments are logically separated and deployed specifically for the organization they serve.

02

European infrastructure

The standard hosting model uses dedicated infrastructure in trusted European datacenters.

03

No AI model training

Customer documents, prompts and conversations are not used by Dooblux to train or improve AI models.

04

GDPR-aligned processing

Data processing responsibilities are defined through clear agreements, including a dedicated Data Processing Agreement.

Privacy & GDPR

Customer data is processed for one purpose: delivering the service.

Dooblux applies privacy-by-design principles throughout the implementation and management of its Private AI Infrastructure. Customer data remains under the customer’s control and is only processed where necessary to provide the agreed services.

Processing principle

Your data is not the product.

Customer documents, prompts, conversations and other personal data are not used by Dooblux to train, fine-tune, evaluate or improve artificial intelligence models. They are processed only where required to operate, maintain, secure and support the customer environment.

No sale or commercialisation of customer data

No customer data used for AI model training

Processing limited to agreed service delivery

Confidentiality obligations for authorised personnel

EU

European data location

Dooblux aims to process and store personal data within the European Economic Area wherever reasonably possible. The standard service is hosted in dedicated European datacenters.

DPA

Data Processing Agreement

Customer processing responsibilities are documented in a dedicated DPA covering security, subprocessors, breach procedures, retention, deletion and GDPR assistance.

01

The customer

Data Controller

The customer determines why personal data is processed, which information is made available and who may access the AI environment.

02

Dooblux

Data Processor

Dooblux processes personal data on behalf of the customer and only as necessary to implement, host, maintain and support the agreed services.

i

Dooblux may also act as an independent data controller for its own business administration, such as customer communication, contracts, invoicing and legally required records.

Security measures

Multiple layers of protection, working together.

Dooblux applies technical and organisational safeguards throughout the design, deployment and ongoing management of customer environments. Select a security measure to learn more.

Infrastructure & data location

A dedicated environment, not a shared public AI platform.

The standard Dooblux deployment model uses a dedicated customer environment hosted in a trusted European datacenter. Customer applications, documents and AI processing remain within that managed environment.

Dedicated customer environment
01
Authorised users Secure browser access Access through the customer AI portal
Encrypted connection

Private AI environment

Dedicated infrastructure

EU
02 Web interface User access and conversations
03 AI runtime Model execution inside the environment
04 Knowledge system Customer documents and retrieval
05 Managed storage Application and operational data
Separated backup process
06
Recovery layer Protected backup storage Stored separately from the production environment
01

Controlled access

Access is limited to authorised users and personnel with a legitimate operational requirement.

02

Clear boundaries

Customer environments are separated to reduce unnecessary exposure between unrelated organizations.

03

Private processing

AI processing and company knowledge remain within the managed private infrastructure.

04

Managed operations

Deployment, maintenance, updates, monitoring and support are handled within the agreed service scope.

Backup, resilience & incident response

Prepared for disruption, focused on recovery.

Security is not limited to prevention. Dooblux also maintains structured backup, recovery and incident response processes intended to reduce the impact of service failures, data loss and security incidents.

01 Backup

Regular protected backups

Managed production environments normally follow a daily backup schedule for relevant application data, customer knowledge bases and configuration information.

Daily schedule Encrypted storage Separate from production
02 Recovery

Documented recovery approach

Recovery prioritises rebuilding standardised infrastructure and restoring the application data and configuration required to return the environment to operation.

Repeatable procedures Service validation Post-recovery monitoring
03 Incident response

Structured security response

Suspected incidents are assessed, classified and managed through defined containment, eradication, recovery and review stages.

Severity classification Containment procedures Lessons learned

Incident lifecycle

From detection to improvement

01

Detect

Identify unusual or potentially harmful activity

Reports, monitoring, system logs and supplier notifications may all trigger an initial assessment.
02

Assess

Determine severity, scope and potential impact

Incidents are evaluated based on affected systems, customer impact, service availability and the information involved.
03

Contain

Limit further exposure or operational impact

Access may be restricted, credentials rotated or affected infrastructure isolated where necessary.
04

Recover

Restore services in a controlled manner

Systems are validated, services restored and additional monitoring applied before normal operation resumes.
05

Improve

Review the incident and strengthen future safeguards

Significant incidents are reviewed to identify root causes, corrective actions and practical improvements.
i

Backup coverage, retention periods and recovery objectives may vary depending on the deployed architecture, customer requirements and contractual service arrangements.

Frequently asked questions

Practical answers about privacy, security and data control.

These answers summarize the main privacy, security and compliance principles behind Dooblux services. Customer-specific arrangements may be documented separately in the applicable agreement or DPA.

The standard Dooblux service is based on dedicated infrastructure hosted in trusted European datacenters. Dooblux aims to process and store personal data within the European Economic Area wherever reasonably possible.

No. Dooblux does not use customer documents, prompts, conversations or other personal data to train, fine-tune, evaluate or improve AI models. Customer data is processed only where required to provide, secure, maintain and support the agreed services.

The customer retains ownership of its data, documents, knowledge bases, prompts, business information and other materials supplied to the environment. Dooblux does not obtain ownership of customer content through the provision of its services.

Customers are given a reasonable opportunity to retrieve or export their data. Unless otherwise agreed, customer data and the hosted environment may be retained for up to 30 calendar days after termination before being securely deleted or rendered inaccessible.

Data contained in backups may remain until the relevant backup is overwritten or deleted through the normal retention cycle.

Managed production environments normally follow a daily backup schedule for relevant application data, customer knowledge bases and configuration information. Backup storage is separated from the production environment and protected during storage and transmission.

Exact coverage and retention may differ according to the architecture and customer agreement.

Dooblux follows a structured incident response process covering identification, assessment, containment, eradication, recovery, communication and post-incident review.

Affected customers are informed without undue delay where an incident materially affects, or is likely to affect, their environment, information or legal obligations.

Dooblux may use carefully selected service providers where necessary for hosting, storage, backup, monitoring, communication or other supporting functions.

Subprocessors handling customer personal data are subject to appropriate contractual data-protection obligations. Customers may request an up-to-date subprocessor list.

Yes. Dooblux may provide reasonable documentation, written responses or other information to support procurement, compliance reviews and customer due diligence.

Confidential internal procedures, trade secrets and security-sensitive technical information may be withheld or shared only under appropriate confidentiality arrangements.

Security starts with clarity

Have questions about privacy, security or compliance?

Discuss your organization’s requirements, data-processing needs, infrastructure preferences and procurement questions directly with Dooblux.