Trust
Opero is hosted in Germany, Denmark and Ireland. We do not train models on customer data. Every retrieval and every action is audited. ACLs filter before retrieval, not after.
Most “EU AI” claims survive until the security review. That is when the questionnaire arrives: where does data rest, who can query the training pool, what does your audit log cover. Opero is built for that review — hosted in EU member states, no training pool exists, every retrieval and every action is logged, and access controls filter before the model sees a single document.
EU hosting
Opero runs on infrastructure in Germany, Denmark and Ireland — all EU member states, all under GDPR jurisdiction. Customer data does not leave EU territory at rest or in transit. Traffic between your systems and Opero stays within the EU network perimeter; there is no egress path to US-based servers by default. If your regulator requires data to remain in a single country — a common requirement for German Mittelstand and Danish financial customers — you can pin your deployment to one region at contract time. The pinning is enforced at the infrastructure layer, not by policy alone. Sovereign and on-prem deployment options are also available for customers operating under stricter mandates: a private installation typically goes live in 4–6 weeks from contract.
Data residency, retention, isolation
Every customer runs in a dedicated tenant. Your corpus, your conversation history and your metadata are not pooled with other customers’ data at any layer of the stack. Retention periods are configurable per contract — set the window your compliance team requires and data is purged on schedule. We do not train models on customer data. Opero grounds an LLM against your documents at retrieval time: when a technician asks a question, the system retrieves the relevant chunks from your corpus and passes them to the model as context. Nothing from your corpus enters a training pipeline. There is no training pool from which fragments of one customer’s service manual could surface in another customer’s answer.
Audit log
Every retrieval, every cited source, every outbound action — PO draft, ticket update, work-order note — is logged with the calling user, timestamp and model version. The log is append-only and scoped to your tenant. When a procurement auditor asks what your system did on a specific date six weeks ago, the answer is in the log: which user triggered the query, which documents were retrieved, what version of the model responded, and what action — if any — was written back to your ERP. The log is replayable. You can reconstruct the exact retrieval that generated a given answer, which makes the log usable in formal audits, not informal retrospectives.
Permissions and ACLs
Access controls are role-based and per-document. A field technician’s retrieval is scoped to the documents their role is permitted to read. A sales engineer’s retrieval is scoped differently. The filter runs before the model sees any candidate documents — not after generation. Post-generation filtering is how leaks happen: the model has already read the restricted document and may paraphrase it even if the output is then suppressed. Opero’s retrieval layer enforces the permission set at query time, so the model is never given material the calling user is not cleared to see.
Subprocessors and certifications
Current certifications: GDPR-aligned by design, with documented data-processing agreements available on request. SOC 2 Type II audit is in progress. The subprocessors list — covering infrastructure, model inference and support tooling — is maintained at #subprocessors and will move to a dedicated page as the list stabilises. If you need the current list for a security review, contact us and we will send it directly.
Where to look next
- Knowledge Agent — the system this trust posture protects.
- Building a knowledge agent your technicians actually trust — the long-form on operational trust.
- How EU-hosted AI changes procurement conversations — the procurement framing.