Legal & Compliance

Certifications

Certifications & Infrastructure

Inherited from Hetzner Online GmbH (Infrastructure Provider)

These certifications cover the infrastructure layer on which UBava operates.

✓

ISO/IEC 27001:2022

Inherited

Information Security Management System. Audited and certified by SOCOTEC Certification Germany.

✓

BSI C5 Type 2

Inherited

Cloud Computing Compliance Criteria Catalogue. Verified for ongoing operational effectiveness by independent auditors.

✓

SOC 2 Type II

Inherited

System and Organization Controls report covering security, availability, and confidentiality trust service criteria.

UBava's relay infrastructure runs on Hetzner Online GmbH's certified data centers in Nuremberg, Germany. These certifications cover the infrastructure layer. UBava's application-layer certifications are in progress.

UBava Application-Layer (In Progress)

Our own certification journey for the application and data-processing layers.

○

ISO 27001

Planned

Application-layer Information Security Management certification. Planned as the first certification milestone.

○

BSI C5

Planned

Application-layer cloud compliance. Planned to follow ISO 27001 certification completion.

◔

EU AI Act Compliance

In Progress

Article 4 (AI Literacy) complete. Articles 16–50 (provider obligations, transparency, risk management) in preparation. August 2026 deadline.

Regulations

Regulatory Framework

The legal foundations that govern how UBava processes, relays, and protects data.

General Data Protection Regulation

Regulation (EU) 2016/679

Privacy by design via the VHH cascade. PII is tokenized locally before any data reaches external AI providers. No personal data crosses jurisdictional boundaries.

EU Artificial Intelligence Act

Regulation (EU) 2024/1689

AI literacy policy implemented under Article 4. Transparency obligations and provider requirements under Articles 16–50 in active preparation.

ePrivacy Directive

Directive 2002/58/EC

Cookie consent implementation with granular user controls. Only essential cookies are set without explicit consent.

Estonian Personal Data Protection Act

Isikuandmete kaitse seadus

Full compliance with Estonian national data protection law. Supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate).

Architecture

Architecture Compliance

How the VHH Privacy Air-Lock cascade satisfies GDPR's core data protection principles.

Data Minimization

Article 25 — Only synthetic tokens are transmitted to AI providers. Real PII never leaves the local tokenization layer.

Purpose Limitation

Data is processed exclusively for the stated AI query purpose. No secondary use, no profiling, no analytics on personal data.

Storage Limitation

Token mappings exist only for the duration of the request-response cycle. No persistent storage of PII on relay infrastructure.

Integrity & Confidentiality

AES-256-GCM encryption on every packet. Tokenized data is cryptographically separated from its real-world referents.

Legal precedent: The ECJ ruling in Case C-413/23 P (September 2025) confirmed that pseudonymized data transmitted to a third party — where that party lacks the means to re-identify individuals — does not constitute personal data under GDPR. UBava's VHH cascade ensures AI providers receive only synthetic tokens with no path to re-identification.

Documents

Legal Documents

Our published policies and agreements.

Privacy Policy

Terms of Service

AI Literacy Policy

Data Processing AgreementAvailable on request — contact info@ubava.ee

Cookie Policy

DPIA SummaryAvailable on request — contact info@ubava.ee

Contact

Data Protection Contact

For data protection inquiries, requests, or complaints.