Data & trust

Your client's formula is the most confidential document in your practice. Here is exactly what happens to it.

Architecture & commitments · updated July 2026

No AI touches your formulas

The computation pipeline is deterministic: document parsing is rule-based, threshold mathematics is arithmetic, and the allergen ruleset is parsed from the official regulation texts. No formula, concentration or supplier document is ever sent to a language model in the standard pipeline. An optional AI fallback exists for unreadable/scanned documents — it is off by default, enabled only per engagement with your consent, and runs in-region with zero data retention (see below).

EU data residency

All processing and storage happens on infrastructure located in the European Union (Frankfurt region). No transfer to third countries, no US-hosted analytics on portal pages, no CDN caching of your documents.

Your data is never training data

Uploaded documents are used solely to produce your engagement's deliverables. They are not used to train models, not aggregated into benchmarks, and not shared with other customers — full stop.

Retention you control

Default: submissions and uploads are retained for 90 days after delivery so you can re-download workbooks, then deleted. You can request earlier deletion at any time, or longer retention for re-runs on future Annex III changes — your choice, per portfolio.

If AI fallback is enabled

For scanned documents that defeat rule-based parsing, we can optionally use a model hosted on AWS Bedrock in eu-central-1 (Frankfurt). Bedrock does not retain prompts or outputs and does not use them for training. The extracted text is then processed by the same deterministic pipeline. You will always know, per engagement, whether this was used.

Self-hosted for boutiques

RP firms and compliance boutiques can run the entire engine inside their own environment as a container — formulas never leave your infrastructure. Available on the firm plan.

Sub-processors

ProviderPurposeRegion
AWS (Amazon Web Services EMEA SARL)Hosting, storage, optional Bedrock AI fallbackeu-central-1, Frankfurt
Stripe Payments Europe Ltd.Subscription billing (card data never touches our systems)EU entity

That is the complete list. New sub-processors are announced to customers 30 days in advance.

Security practices

What Annexa is — and is not

Annexa is a screening and drafting aid for qualified professionals. Every workbook requires human review and sign-off. Annexa is not a cosmetic product safety assessment, not a certification body, and does not assume the Responsible Person's obligations under Regulation (EC) No 1223/2009. Every figure in every workbook is traceable to the verbatim source line of the document it came from — so you can verify everything we compute.

Who builds Annexa

Annexa is built in Munich by Markus Niemeier, co-CEO of a clinical-research biometrics firm — fifteen-plus years of regulated data pipelines, audit trails and GxP documentation, now applied to Annex III.

Questions a procurement or DPO review needs answered — DPA template, TOMs, deletion certificates — are handled directly: hello@annexa.eu.