KI
Watch now: AI between hype and pressure to act – a reality check for 2026
"Simply dumping documents from 20 years into a vector database,
10 December 2025
No comments
migRaven.MAX - 100% GDPR compliant
EU data residency
Data remains in the EU
End-to-end encryption
TLS 1.2+ & AES-256
No model training
Your data remains private
Certified
ISO, SOC, HIPAA compliant
Why is migRaven.MAX GDPR compliant?
migRaven.MAX exclusively uses enterprise AI services from Microsoft Azure OpenAI and AWS Bedrock, which are specifically designed for use in regulated environments. Unlike public AI services, these platforms offer complete data control and guaranteed GDPR compliance.
Important difference:
migRaven.Max does NOT use the public APIs of OpenAI or other providers, but only enterprise versions with guaranteed EU data residency and compliance certifications.
Microsoft Azure OpenAI Service - Your Guarantees
Azure OpenAI EU DataZone Deployment
- 100% EU data processing: With EU DataZone Deployments, your data is processed exclusively within the EU member states - never in third countries
- No affiliation with OpenAI Inc.: Azure OpenAI is a standalone Microsoft service with no affiliation with OpenAI Inc.
- No model training: Your data will NOT be used to train Microsoft or third-party models
- Complete data control: Your data never leaves the Microsoft ecosystem
- Encryption: All data is encrypted both in transit (TLS 1.2+) and at rest
Compliance certifications
ISO 27001/27017/27018
Information security
SOC 1/2/3
Service Organization Controls
CSA STAR Level 2
Cloud Security Alliance
HIPAA
Health data compliant
Official documentation:
AWS Bedrock - Enterprise AI with GDPR Guarantee
AWS Bedrock Data Protection Guarantees
- No data storage: Amazon Bedrock does NOT store or log your prompts and completions
- No model training: Your data will NOT be used to train AWS or third-party models
- Data isolation: Model providers have no access to your data or AWS logs
- EU data residency: Complete control over the region where your data is processed
- Encryption: Automatic encryption in transit (TLS 1.2+) and at rest (AWS KMS)
- Private Connectivity: Use AWS PrivateLink for secure VPC-to-Bedrock connections
Compliance certifications
GDPR
Fully compliant
ISO 9001 / 27001
Quality & Safety
SOC 1/2/3 Type 2
Independently audited
HIPAA
Health data compliant
CSA STAR Level 2
Best practices validated
FedRAMP Moderate
US government standard
Official documentation:
Comparison: Public APIs vs. Enterprise Solutions
| Criterion | Public AI APIs | migRaven.Max (Azure OpenAI & AWS Bedrock) |
|---|---|---|
| Data Processing: | ❌ Worldwide, no control | ✅ Guaranteed in the EU |
| model training | ❌ Data can be used for training | ✅ No use for model training |
| Data deletion | ❌ Unclear/Not guaranteed | ✅ Complete control & deletion |
| GDPR compliance | ❌ Not guaranteed | ✅ Contractually assured with DPA |
| Audit logs | ❌ Limited/None | ✅ Complete audit trails |
| SLAs | ❌ No/Limited | ✅ Enterprise SLAs (99.9%+) |
| Compliance certificates | ❌ Few/None | ✅ ISO, SOC, HIPAA, CSA STAR |
Our technical protection measures
Multi-layered security concept
- Encryption: End-to-end encryption of all data transmissions (TLS 1.2+) and storage (AES-256)
- Access control: Role-based access control (RBAC) with minimal permissions
- Audit logging: Complete logging of all accesses and operations
- Data isolation: Strict client separation at all levels
- Anonymization: Automatic detection and masking of personal data
- Retention policies: Automatic data deletion according to configured retention policies
Transparency & Control
- Data Processing Agreements (DPA): Complete contractual protection with Microsoft and AWS
- Right to information: Access to processed data at any time
- Right to erasure: Immediate erasure upon request (Right to be Forgotten)
- Data portability: Export of all data in standardized formats
- Purpose limitation: Data processing exclusively for agreed purposes
- Retention policies: Automatic data deletion according to configured retention policies
Regulatory
GDPR Article 28 - Data processing
Both Microsoft and AWS act as data processors pursuant to Art. 28 GDPR and offer standard Data Processing Agreements (DPAs) that contain all necessary safeguards:
- Encryption: End-to-end encryption of all data transmissions (TLS 1.2+) and storage (AES-256)
- Access control: Role-based access control (RBAC) with minimal permissions
- Audit logging: Complete logging of all accesses and operations
- Data isolation: Strict client separation at all levels
- Anonymization: Automatic detection and masking of personal data
- Retention policies: Automatic data deletion according to configured retention policies
Standard Contractual Clauses (SCCs)
Both Microsoft and AWS act as data processors pursuant to Art. 28 GDPR and offer standard Data Processing Agreements (DPAs) that contain all necessary safeguards:
Frequently asked questions about GDPR compliance
GDPR Article 28 - Data processing
Both Microsoft and AWS act as data processors pursuant to Art. 28 GDPR and offer standard Data Processing Agreements (DPAs) that contain all necessary safeguards:
When using the EU DataZone (Azure) or EU regions (AWS), your data will be processed exclusively in data centers within the European Union.
No. Neither Microsoft nor AWS will use your data to train their or other AI models. This is contractually guaranteed.
No. Azure OpenAI is a completely independent Microsoft service. OpenAI Inc. has no access to your data.
You have complete control over the retention period. After deletion, data is removed from all backup systems within a maximum of 30 days.
Yes, both providers offer comprehensive audit reports (SOC 2, ISO 27001) and allow for self-audits in accordance with DPA agreements.
Further resources
Microsoft Azure Open AI
AWS Bedrock
- AWS Bedrock Security & Compliance
- AWS Bedrock Data Protection
- AWS GDPR Center
- AWS Data Processing Addendum
- AWS Artifact (Compliance Reports)
Important note for customers
This information is based on the official documentation from Microsoft and AWS (as of August 2025). For legally binding statements, please consult your data protection officer and check the current contractual terms of the respective providers.
Convinced? Then contact us!
Currently at migRaven
KI
Watch now: Loss of control in M365?
No more dangerous flying blind in Teams and SharePoint.
20 November 2025
No comments
KI
From artificial to collective intelligence: aikux.Brain for businesses
Live at the Knowledge Management Days 2025 in Stuttgart in November
3 November 2025
No comments
Webinar
Don't miss out! The next migRaven webinars.
Our experts, with experience from numerous IT projects, will explore current topics related to security and efficiency in data usage, fundamental IT security issues, and data and permissions migration. Register now for free!
29 October 2025
No comments
Currently at migRaven
KI
Watch now: AI between hype and pressure to act – a reality check for 2026
“Simply dumping 20 years’ worth of documents into a vector database is not a strategy.” From department heads to CIOs, this is currently being felt.
10 December 2025
No comments
KI
Watch now: Loss of control in M365?
Stop flying blind in Teams and SharePoint! Let's be honest: Who in your company still really understands the...
20 November 2025
No comments
KI
From artificial to collective intelligence: aikux.Brain for businesses
Live at the Knowledge Management Days 2025 in Stuttgart. In November you will have the opportunity to meet our CEO Thomas Gomell and our CSO.
3 November 2025
No comments
Webinar
Don't miss out! The next migRaven webinars.
Our experts with experience from many IT projects examine current topics related to security and efficiency in data usage, fundamental questions
29 October 2025
No comments
Under the hood
migRaven software products
migRaven
- migRaven GmbH
- Hallerstrasse 6
- 10587 Berlin, Germany
Funded by
- Federal Ministry for Economic Affairs and Energy based on a resolution of the German Bundestag.