KI-Quadrat

Security & Data Sovereignty

Your review starts here.

This page is for IT leaders, data protection officers, and procurement teams. It contains what you need for a well-founded decision: evidence, architecture, and clear answers.

ISO 27001 + ISO 42001 certified
GDPR-compliant · NIS-2-ready
Austrian company · No US CLOUD Act

Overview

What needs to be clarified for a municipal decision

Where is your data stored?

You decide: on your own server, in an EU data center, or in a combination of both. There is no default setup. The model follows your requirements.

How is operation evidenced?

Access, changes, and system events are logged. Those logs are available to your IT team, your data protection officer, and external auditors.

Which standards are met?

ISO 27001 for information security, ISO 42001 for AI governance, GDPR compliance, and readiness for NIS-2. All certifications are issued independently and can be verified publicly.

Data Processing

How municipal data is processed

One clear principle: processing only within the agreed model, only for the intended purpose, and always traceable.

01

Source

Documents and requests come from your municipal departments, knowledge bases, and citizen services.

02

Processing

Content is processed inside the agreed environment. Personal data is automatically masked before processing. Nothing flows into third-party training models.

03

Storage

Data remains on your infrastructure or in EU data centers, depending on the chosen operating model. No US servers.

04

Review

Audit logs record access and processing steps. They are available for internal controls, privacy reviews, and external audits.

Operating model

Three paths. You choose the right one.

The platform adapts to your IT organization, not the other way around.

Full local control

On-Premise

  • Runs on your own hardware
  • Data never leaves your building
  • Keys and access remain under your responsibility
  • For municipalities with in-house IT and strict requirements
More on the on-premise architecture
EU jurisdiction, centrally maintained

EU Cloud

  • Hosted exclusively in European data centers
  • No storage on US servers
  • Maintenance and updates handled by KI-Quadrat
  • For fast rollout with low local overhead
Phased introduction

Hybrid

  • Sensitive data stays local while selected services run centrally
  • Clear separation between local and cloud components
  • For phased migration and existing IT policies

KI-Quadrat is an Austrian company headquartered in Gablitz near Vienna. There is no US parent company. No US cloud storage is used for municipal data. The US CLOUD Act does not apply to our infrastructure.

Operations

Security in day-to-day operation

Certificates define the framework. These measures show how operations are secured every day.

Audit Logs

Every access, every administrative change, and every relevant system event is logged, locally on your server or in the EU cloud.

Roles and Permissions

Access is assigned according to municipal responsibilities. Integration with Active Directory and existing permission structures is supported.

Encryption

Data is protected in transit (TLS 1.3) and at rest (AES-256). Key management follows the selected operating model.

Incident and Change Management

Defined incident processes, regular security reviews, and controlled system changes. Documented in line with ISO 27001.

Frequently Asked Questions

What IT, privacy, and procurement teams ask

Yes. You can appoint your own auditors or bring in third parties. Our ISO certifications are issued by Prescient Security, an accredited and independent certification body. The certificates can be verified publicly through our Trust Center.

That depends on the chosen model. On-premise: on your own server in the town hall. EU cloud: in data centers in Germany and Austria (Hetzner, Exoscale). Hybrid: critical data stays local while application logic runs in the EU cloud. In no model is data stored on US servers.

The CLOUD Act applies to US companies and their subsidiaries. KI-Quadrat is an Austrian limited company based in Gablitz with no US ownership. We do not use US cloud infrastructure for municipal data. The CLOUD Act does not apply to our data processing.

Evidence

Certifications and Trust Center

For procurement, privacy, and IT decisions, the key question is whether claims can be evidenced.

ISO 27001 certification

ISO 27001

Information Security

International standard for information security management systems. Independently audited by Prescient Security. First certified in 2025 and audited annually.

Official certificate PDF
ISO 42001 certification

ISO 42001

AI Management System

Standard for responsible AI governance. Covers transparency, accountability, risk analysis, and traceability of AI use.

Official certificate PDF
GDPR compliance proof

GDPR

Data Protection Compliance

Privacy compliance under EU law with a clear data processing agreement. Architecture without third-party data sharing. PII masking as a technical safeguard.

NIS-2 readiness proof

NIS-2-ready

Cybersecurity

Architecture and operating model are aligned with upcoming requirements for risk management, incident handling, and supply-chain security.

KI-Quadrat Systemhaus GmbH is certified under ISO 27001 and ISO 42001. Certification is carried out by independent, accredited auditors and reviewed regularly. The platform is GDPR-compliant and prepared for NIS-2. Municipalities can choose between on-premise, EU cloud, and hybrid.

Open Trust CenterRequest a security review