How We Protect Your Data

Industrial-grade security built into every layer. Your data stays in the EU, encrypted at rest and in transit, with full audit trails. PQ Ready EU Only

Security by Design

Pauhu® is built on the principle that security is not a feature you add later — it is the foundation everything else is built on. Our architecture follows industrial security standards used in critical infrastructure (IEC 62443-3-3), adapted for cloud-native EU data processing.

Five Principles

1. Zone Isolation

Data flows through clearly defined security zones. Each zone has its own access controls and trust level. Sensitive data (your translations, glossaries, and usage patterns) lives in protected zones that are isolated from public-facing services. Data can only move between zones through controlled checkpoints that verify every request.

2. EU Data Residency

All data is stored and processed within the European Union. This includes databases, file storage, search indexes, and AI model inference. No data leaves EU jurisdiction at any point. This is enforced at the infrastructure level, not just by policy.

3. Encryption Everywhere

All data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM). API keys and authentication tokens are hashed before storage. Sensitive configuration is managed through encrypted secret stores, never hardcoded or committed to version control.

4. Access Control

Every API request is authenticated and authorised. Role-based access control determines what each user can see and do. Organisation administrators can manage team members and their permissions. All access decisions are logged for audit purposes.

5. Complete Audit Trail

Every significant action is recorded: who did what, when, and from where. Audit logs are stored separately from application data and cannot be modified or deleted. You can export your organisation's audit logs at any time.

Zone Model

Pauhu uses a three-zone security architecture based on IEC 62443-3-3, the same standard used in industrial control systems and critical infrastructure. Each zone has a different trust level and different rules for what data can flow in and out.

  +-------------------+    +-------------------+    +-------------------+
  |  Protected Zone   | -> | Controlled Zone   | -> |  External Zone    |
  |                   |    |                   |    |                   |
  |  IP, models,      |    |  Build, deploy,   |    |  Customer-facing  |
  |  training data,   |    |  infrastructure,  |    |  UI, docs, i18n   |
  |  security config  |    |  operations       |    |                   |
  +-------------------+    +-------------------+    +-------------------+
            |                        |                        |
            +-----------+------------+-----------+------------+
                        |                        |
                  ==============            ==============
                  ||  Conduit  ||            ||  Conduit  ||
                  ==============            ==============
                  (verified data             (sanitised output
                   flow only)                 to customer)

Zone	Purpose	Access
Protected	Intellectual property, ML models, architecture, security configuration	Restricted to authorised personnel only. Never exposed to the internet.
Controlled	Build pipeline, deployment, infrastructure management, monitoring	Authenticated internal access. Acts as a conduit between Protected and External zones.
External	Customer-facing APIs, web UI, documentation, search interface	Public access with authentication. No direct access to Protected zone resources.

Model Last: AI inference (search ranking, classification, translation) runs only after all security gates pass verification. If any gate fails, the request is rejected before any model is invoked. This prevents adversarial inputs from reaching the AI layer.

What This Means for You

Concern	How We Address It
Where is my data stored?	Exclusively in EU data centres. Databases, files, and indexes are all EU-located.
Can other customers see my data?	No. Your translation memories, glossaries, and usage data are completely isolated.
Is my data used to train AI models?	No. Your data is never used for model training. Translation memories improve your results only.
What happens if there is a breach?	Zone isolation limits exposure. Even if one zone is compromised, protected zones remain secure. We notify affected customers within 72 hours per GDPR Article 33.
Can I audit access to my data?	Yes. Full audit logs are available through your dashboard or via the API.
How are API keys protected?	Keys are hashed before storage using SHA-256. We never store or display your full key after creation.

IP & Data Protection

Your intellectual property is protected at every level of the architecture:

Customer data isolation: Each customer's data (translation memories, glossaries, search history, custom models) is stored in isolated database rows with row-level security. No cross-tenant data access is possible.
API key isolation: For GPU Extensions, your provider API keys (OpenAI, Anthropic, Google, etc.) are validated for format but never stored by Pauhu. They are forwarded to the provider in a single request and immediately discarded.
No data mining: Pauhu does not analyse, aggregate, or mine customer data for any purpose. Usage counts and timestamps are recorded for billing; content is not.
Export at any time: You can export all your data (translation memories, glossaries, search configurations) in standard formats (TMX, TBX, JSON) at any time. No lock-in, no export fees.
Right to deletion: Request complete deletion of your account and all associated data. Deletion is irreversible and confirmed within 30 days per GDPR Article 17.

Compliance

Our security architecture supports compliance with:

GDPR — Privacy by design (Article 25), security of processing (Article 32), data breach notification (Article 33), right to erasure (Article 17).
NIS2 Directive — Cybersecurity risk management measures for essential and important entities.
EU AI Act — Transparency obligations for AI systems (Article 50), human oversight, and data governance. Pauhu is classified as minimal risk (not in Annex III).
IEC 62443-3-3 — Industrial automation and control systems security. Zone model, conduit flow control, and foundational security requirements.
EU Accessibility Act — WCAG 2.1 AA compliance across all customer-facing pages.

Post-Quantum Readiness PQ Ready

Pauhu® is preparing for the transition to post-quantum cryptography as recommended by NIST and ENISA. Our cryptographic architecture is designed for algorithm agility, enabling migration to quantum-resistant algorithms without service disruption.

Current Status

Layer	Current	PQ Migration Path
Transport (TLS)	TLS 1.3 (X25519 key exchange)	ML-KEM (FIPS 203) hybrid key exchange. Cloudflare already supports X25519Kyber768 on their edge.
Data at rest	AES-256-GCM	AES-256 is quantum-safe (Grover’s algorithm requires 2¹²⁸ operations). No change needed.
Key derivation	PBKDF2 with SHA-256 (310,000 iterations)	SHA-256 remains secure against known quantum attacks. NIST recommends SHA-256 for post-quantum use.
Model integrity	SHA-256 checksums	SHA-256 pre-image resistance is not weakened by quantum computers. No change needed.
Digital signatures	Ed25519 (where applicable)	Migration to ML-DSA (FIPS 204) or SLH-DSA (FIPS 205) when browser WebCrypto adds support.
Browser-side encryption	Web Crypto API (AES-256-GCM, non-extractable keys)	AES-256 is PQ-safe. Key exchange will migrate to ML-KEM when available in WebCrypto.

Timeline

We track the NIST Post-Quantum Cryptography Standardization process and ENISA recommendations for EU organisations. Our target is to support hybrid classical/PQ key exchange by the time major browsers ship WebCrypto ML-KEM support (expected 2027–2028).

Harvest-now-decrypt-later: All data at rest uses AES-256, which is not vulnerable to quantum attacks. For data in transit, our edge network already supports hybrid post-quantum TLS (X25519Kyber768). Clients connecting with Chrome 124+ or Firefox 128+ automatically negotiate post-quantum key exchange.

Model Integrity Verification

Every AI model downloaded to the browser is verified before use. This applies to translation models, embedding models, and any ONNX inference model.

Pre-load verification: SHA-256 checksum is computed and compared against the signed manifest before the model is loaded into the ONNX Runtime or Transformers.js session.
Cache poisoning prevention: Models loaded from browser cache (IndexedDB or Cache API) are re-verified on every load. If verification fails, the cache entry is purged and the model is re-downloaded.
Strict mode: Unknown model IDs (not in the manifest) are rejected. There is no fallback to unverified execution.

Browser-Native Processing

For supported operations, Pauhu® can run AI inference directly in your browser using WebGPU or WebAssembly. This means your text never leaves your device. Browser-native processing is available for terminology lookup, document classification, and lightweight translation tasks.

You can verify your device's capabilities using the benchmark tool.

Client-Side Security Advisory

Pauhu® processes data in your browser using WebGPU and WebAssembly. Your queries and results are visible on screen but never sent to our servers for inference. However, operating system features that capture screen content can record what is displayed, regardless of browser security settings.

Windows Recall and Screen Capture

Microsoft Windows 11 includes a feature called Recall that periodically screenshots the display and indexes the content using on-device AI. When enabled, Recall may capture sensitive information displayed in Pauhu, including:

Search queries and results (legal texts, procurement data, terminology)
Chat conversations and grounded answers
Document content shown during translation or analysis

No web application can prevent OS-level screen capture. HTTP headers, Content Security Policy, and browser sandboxing operate below the OS display layer. This applies equally to all browser-based tools, not only Pauhu.

Recommended Mitigations

Environment	Action
Enterprise (Group Policy)	Disable Recall via `Computer Configuration > Administrative Templates > Windows Components > Windows AI > Turn off saving Snapshots for Windows`. Registry: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis = 1`
Enterprise (Intune/MDM)	Deploy the `Experience/DisableWindowsAIDataAnalysis` CSP policy to managed devices.
Individual workstation	Settings > Privacy & Security > Recall & Snapshots > turn off “Save snapshots”.
Sensitive sessions	Use Microsoft Edge InPrivate mode. Recall excludes InPrivate browsing windows by default.
Regulated environments	Consider Linux or macOS workstations, which do not have an equivalent always-on screen capture feature.

GDPR Implications

If Windows Recall is enabled on a device processing personal data, Microsoft becomes a de facto processor of displayed content. Organisations subject to GDPR should assess whether Recall creates an unintended processing activity under Article 28 and whether a Data Protection Impact Assessment (DPIA) is required under Article 35(3)(a).

Pauhu® browser-native inference is designed so that data never leaves your device to reach our servers. Recall does not change this property — the risk is between Microsoft and your organisation, not between Pauhu and your organisation.

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@pauhu.ai
security.txt: /.well-known/security.txt (RFC 9116)
Preferred languages: English, Finnish
Response time: We acknowledge reports within 48 hours and provide an initial assessment within 5 business days.

For compliance documentation requests, contact compliance@pauhu.ai.

System Architecture — zone model, data pipeline, orchestration
API Reference — authentication, endpoints, error codes
MACC Guide — Azure pricing equivalence and migration
Developer Docs — MCP server, CLI, container setup