Annexo
← Home
Legal

Privacy Policy

This notice explains how we process personal data when you use this website and when you submit an inquiry through our scoping form. It is written to satisfy Articles 13 and 14 of the General Data Protection Regulation (GDPR).

Last updated: 23 June 2026

1. Controller

The controller responsible for processing your personal data is:

Benjamin Hellmich
Griesheimer Stadtweg 51
65933 Frankfurt am Main, Deutschland
Email: legal@annexo.eu

2. What data we collect

When you complete our scoping form (at /dossier/scope), we collect the information you provide: your name, your role or title, your work email, your company, your company website, your country, details about your AI system, and your preferred call time.

In addition, like most websites, our hosting infrastructure records standard server logs — including your IP address, browser type, and the time of your request — for the purpose of operating and securing the site.

3. Purpose and legal basis

We use the data you submit to respond to your inquiry and to arrange a scoping call. The legal bases for this processing are:

  • GDPR Art. 6(1)(b) — processing necessary to take steps at your request prior to entering into a contract.
  • GDPR Art. 6(1)(f) — our legitimate interest in responding to and managing business-to-business inquiries, and in operating and securing this website.

4. Recipients and processors

We do not sell your personal data. We share it only with service providers that process data on our behalf (sub-processors), each under a GDPR Art. 28 data-processing agreement:

  • Vercel — hosting, content delivery, serverless function logs, and cookieless aggregate usage analytics (Vercel Web Analytics). EU compute region (fra1).
  • Upstash — the durable store for the Fleet platform (registered-agent records & monitoring state), pinned to an EU region.
  • Resend — to deliver our lead-notification and transactional emails.
  • OpenAI — LLM evaluation of agent probe responses in the verification & readiness engines (API; not used to train models).
  • ImprovMX — inbound email forwarding for our hello@ and legal@ addresses.

The current sub-processor list, with each provider’s region and transfer safeguard, is maintained at /subprocessors, and our processor terms are in the Data Processing Agreement.

5. The verification console & Fleet platform

When you use the verification console, you point Annexo at your own AI agent endpoint. The API key you provide is held in memory for that single request only and is never stored — not on disk, not in our database, not in logs. We keep only the observed verification results. On the Fleet platform we store the registered-agent metadata and monitoring state you create, in our EU-region store, until you delete it.

6. Retention

We keep your inquiry data only for as long as necessary to handle your inquiry and any resulting business relationship, after which it is deleted. Where an inquiry does not lead to a business relationship, we delete the data within 12 months of our last contact with you. Registered-agent records and monitoring state on the Fleet platform are kept until you delete them. Any client IP processed for rate-limiting exists only transiently in memory and is not persisted.

7. Your rights

Under the GDPR you have the right to access your personal data, to have it rectified, to have it erased, to restrict its processing, to data portability, and to object to processing. You also have the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at legal@annexo.eu.

8. Cookies and analytics

This site uses no tracking or advertising cookies and builds no cross-site profile. The only cookies we set are strictly necessary: a session cookie (annx_session) when you sign in to the gated Fleet platform, and a small preference for your light/dark theme. Our usage analytics are cookieless and aggregate (Vercel Web Analytics): they measure page views without cookies and without storing or reading identifying information on your device. Because we store no non-essential information on your device, the device-access consent requirement of § 25 TDDDG is not triggered, so no cookie-consent banner is required.

9. International transfers

Some of our processors — in particular Vercel (hosting, EU compute region pinned), Resend (email) and OpenAI(probe evaluation) — are based in the United States and may process data there; our Fleet store (Upstash) is pinned to an EU region. For transfers outside the EU/EEA we rely on the European Commission’s standard contractual clauses (Decision (EU) 2021/914) and, where the provider is certified, the EU–US Data Privacy Framework, as the safeguard required under Chapter V of the GDPR.

← Back to home

About Annexo

Annexo is the independent trust layer for AI agents: it verifies how a third party’s AI agent actually behaves with live tests, watches it for drift, and produces audit-ready evidence for buyers, regulators and insurers. Every result is observed behaviour at the time of testing — never a certification, conformity assessment, guarantee, or legal advice. Annexo is not a notified body.

Frequently asked questions

What is Annexo?
Annexo is an independent trust layer for AI agents. It verifies how a third party’s AI agent actually behaves with live behavioural probes, watches it for drift over time, and produces audit-ready assurance evidence a buyer, regulator or insurer can rely on. The thesis is simple: a builder cannot credibly grade its own homework, so verification has to be independent.
Who is Annexo for?
EU and DACH enterprises deploying AI agents in regulated settings — insurance, banking, industrial — and the consultancies that build agents for them. Later, insurers underwriting agent risk.
How does Annexo verify an AI agent?
Point the verify console at your own AI agent endpoint or run a built-in sample agent. A live probe battery runs against it — prompt injection, tool poisoning, guardrails under pressure, AI disclosure, PII handling, request logging — and resolves into an evidence dashboard. Your agent’s API key is held in memory for that one request only and is never stored.
Does Annexo certify or guarantee that an AI agent is compliant?
No. Annexo is not a notified body and does not certify, guarantee, or give legal advice. Every result is observed behaviour at the time of testing, reported as a status — holding, watch, or surfaced — never a pass/fail verdict or a conformity assessment.
What about EU regulations like the EU AI Act, GDPR, DORA and NIS2?
Annexo also produces done-for-you EU conformity dossiers — the evidence and technical documentation mapped to the EU AI Act, GDPR, DORA and NIS2, produced from your system and audit-ready. It is the deliverable, not a substitute for your own counsel or a conformity assessment body.
Where is Annexo’s data processed?
In the EU. Compute runs in the Frankfurt (fra1) region and persisted data uses an EU-region store, in line with EU data-residency expectations.