Overview
This statement explains how CIOS Technology AG (“CIOS”) handles personal data that customers and their end users entrust to the CIOS AI Personality platform. It is distinct from, and supplementary to, the website Privacy Policy, which governs visitors to cios.app. Where this statement and the customer’s Data Processing Addendum (DPA) cover the same topic, the DPA prevails.
Roles
Customers act as the data controller in respect of their end users. CIOS acts as the data processor and processes customer data only on documented instructions from the customer, in line with Article 28 GDPR and the Swiss revFADP.
EU-only tenant default
New CIOS tenants are provisioned in the European Union by default. Application data, vector embeddings, identity records, and audit logs are stored in EU regions (Google Cloud europe-west; MongoDB Atlas Frankfurt or Ireland; Weaviate EU cluster; Auth0 EU tenant). LLM calls are routed to EU endpoints where the provider offers them. Any deviation from the EU-only default requires explicit written agreement with the customer and is documented in the order form.
LLM providers (named)
CIOS uses the following large-language-model and embedding providers. None of them uses CIOS customer data to train foundation models.
- Google — Gemini via Vertex AI (primary conversation model). EU endpoints. No training on customer data.
- Anthropic — Claude (backup conversation model). EU endpoints where available; otherwise US under a Zero Data Retention agreement. No training on customer data.
- OpenAI — embedding models only, used for short post-redaction topic strings. OpenAI Ireland Ltd as EEA contracting entity. No generative calls. No training on customer data.
Prompts are processed through the CIOS PII-redaction layer before they leave CIOS infrastructure. Special-category data (Article 9 GDPR) is halted at the redaction layer and is not transmitted to any LLM provider.
What we process and why
- Identity and profile data — to authenticate users and personalise the experience.
- Conversation content and derived memory — to deliver the AI Personality service the customer has configured.
- Consent records and audit events — to demonstrate compliance and respond to data-subject requests.
- Operational telemetry — to keep the service secure, available, and performant.
Retention and deletion
Default retention is set per data class in the CIOS retention schedule (e.g., audit events 2 years; memory 3 years from last access; session tokens 30 days). On contract termination, customer data is deleted from production systems and backups in line with the CIOS Procedure for Deletion of Personal Information; deletion is confirmed to the customer.
Sub-processors
CIOS publishes the full sub-processor list at cios.app/sub-processors. Customers may subscribe to changes via the notification channel set out in the master DPA. New sub-processors require a Transfer Impact Assessment, a signed DPA, and at least 30 days’ prior notice to affected customers.
Data-subject rights and contact
Customers and their end users may exercise GDPR / revFADP rights of access, rectification, erasure, restriction, portability, and objection by contacting [email protected]. CIOS will assist the customer in responding within statutory timeframes.