Safe. Sovereign.
Compliant by design.

When we deploy AI inside your organisation, we work inside the perimeter your security team already trusts. Swiss hosting, no training on your data, DPAs signed with every provider in the path. Aligned with nLPD, GDPR and the EU AI Act.

See our DPA coverage
01/WHAT WE GUARANTEE

Six guarantees,
no fine print.

No training on your data

Zero-retention enabled on every provider we route through. Your prompts, documents and answers never train any model. Not ours, not theirs.

Sovereign hosting CH / EU

Indexes and vectors hosted in Switzerland or the EU, on providers with no US export exposure. Or inside your own cloud tenant. Your DPAs apply.

Permission-aware by design

We wire the deployment to inherit your source-system ACLs. A user only sees what they could already open in SharePoint, Drive or your ERP.

Encrypted end-to-end

TLS 1.3 in transit, AES-256 at rest. Customer-managed keys on request. Secrets isolated per tenant, yours included.

Audited & pentested

Annual third-party pentest on the deployment. Continuous vulnerability scanning. Independent eval-grid review before go-live.

Full audit trail

Every question, every cited source, every model call logged. Exportable to whatever SIEM your compliance team already runs.

02/DPAS IN PLACE

We have signed the paper
your legal team needs.

OpenAI

OpenAI

GPT-4 / GPT-4o · Custom GPTs

Enterprise tier with zero data retention. EU data residency available.

In placeEU residency
Anthropic

Anthropic

Claude · Claude Projects

Commercial DPA + zero training on customer data.

In placeEU / US
Mistral AI

Mistral

Mistral Large · Codestral

European sovereign provider, hosted in France.

In placeFrance
Microsoft

Microsoft

Azure OpenAI · Copilot

Azure DPA + Customer Lockbox + EU Data Boundary.

In placeSwitzerland / EU
Google

Google

Gemini · Vertex AI

Google Cloud DPA with EU data location commitments.

On requestEU
Infomaniak

Infomaniak

Sovereign hosting · Switzerland

Swiss-owned, Swiss-hosted. nLPD-aligned by default.

In placeSwitzerland
Exoscale

Exoscale

Sovereign cloud · Switzerland

ISO 27001 certified Swiss IaaS.

In placeSwitzerland
OVHcloud

OVHcloud

EU sovereign hosting

SecNumCloud-ready, FR / DE / BE regions.

In placeFrance / Germany

Customer tenant

Azure · GCP · AWS

Inside your own cloud subscription. Your DPAs apply.

On requestCustomer-controlled
03/COMPLIANCE POSTURE

Three frameworks.
Aligned by default.

Personal data in Switzerland and the EU. AI systems under the EU AI Act. Three frameworks we work inside on every deployment, with the controls to back it.

No.RegionScopeFrameworkStatusWhat it means
01CHPersonal datanLPDSwiss FADPAligned

Swiss hosting available, data processing register maintained, DPO contactable.

02EUPersonal dataGDPREU GDPRAligned

DPA template ready, sub-processors list public, right to erasure honored.

03EUAI systemsEU AI ActAI systems regulationAligned

High-risk system classification reviewed per deployment. Human-in-the-loop by default.

04/FAQ

Straight answers
to security questions.

Where exactly is our data hosted?

Indexes, vectors and logs sit on the region you choose at scoping: Switzerland (Infomaniak or Exoscale), the EU (OVHcloud), or inside your own cloud tenant (Azure, GCP, AWS). On-premise deployment is available where compliance requires it. Your raw documents stay in your source systems unless you explicitly opt into mirroring.

Do you train on our data?

No. Your prompts, documents and answers never train any model, neither ours nor a provider's. We enable zero-retention mode on every API we route to. Where a provider does not offer it, that route is disabled for your tenant.

Which providers do you have DPAs signed with?

OpenAI (Enterprise tier with zero retention), Anthropic, Mistral, Microsoft (Azure OpenAI and Copilot), plus our hosting partners Infomaniak, Exoscale and OVHcloud. Google Gemini is on request. Copies of any signed DPA are available under NDA. Write to hello@bumps-agency.ch.

What about sub-processors?

Our sub-processors list is public and versioned. Changes are notified 30 days in advance, with the right to object built into the DPA. If you have a vendor moratorium, we route through alternatives.

How do we get your DPA?

Standard BUMPSLAB DPA template is sent within 24h of request. We sign customer paper without friction when the substance is equivalent. PGP-signed delivery available on request.

What if one of your AI providers has a breach?

Incident notification is part of every DPA we sign, with the provider obliged to notify us within 72h. We notify you within 24h of receiving the alert, even before the regulatory deadline. Our incident response runbook is part of the trust pack.

Can we audit Atlas ourselves?

Yes. You get read access to question logs, source-tracing per answer, and our evaluation grid run on your data. We provide architecture documentation and connector inventory. If you need a CISO walkthrough, we book one.

What happens if BUMPSLAB stops operating?

You own the Atlas index, the connectors, the architecture documentation and the admin accounts. The trust pack includes a switch-provider playbook. Nothing proprietary blocks you from migrating to another vendor or bringing Atlas in-house.

05/TRUST PACK

Bring this to your CISO.

Get the full trust pack: DPA template, sub-processors list, architecture diagram, pentest summary, incident response runbook. One PDF for your security review.

CONTACT
hello@bumps-agency.ch
RESPONSE TIME
Within 24 hours