thirdmind
Contact
Contact

Security

AI, data protection and control for digital employees.

A digital employee works with real data and real systems. That is why data protection, the EU AI Act, and security are clarified early: task, data flows, rights, logs, and the points where a human decides.

Security architecture with limited access, roles, and handover points

Why it's different

A chatbot answers questions. A digital employee intervenes in work.

It reads documents, checks data, looks for context, prepares answers, or creates records in systems. That raises data protection, security, and regulatory questions, including GDPR and the EU AI Act. These points need to be clarified before the pilot.

  • Which sources can it read?
  • Which actions can it prepare?
  • When does a human have to take over?

Short answer

AI and data protection need architecture, auditing and clear boundaries.

thirdmind plans digital employees as controlled AI systems. Each one gets a clear task, limited system access, defined rights, logging, and escalation rules. The backend and deployed LLMs are hosted in the EU, and customer data is not used to train third-party LLMs. Our basic architecture was reviewed by DORDA, our legal partner. For project-specific GDPR or EU AI Act questions, we involve DORDA where needed.

Can AI be used safely with company data?

Yes, if the task, data sources, rights, logs, and approvals are clarified before productive use. A digital employee does not receive blanket company access.

Is a digital employee GDPR compliant?

We design the setup so data protection is clarified before productive use: purpose, data, roles, rights, logs, approvals, and responsibility. The specific classification depends on the process.

Does thirdmind take the EU AI Act into account?

Yes. In the project, we examine which role, risk classification and transparency obligations may be relevant for the specific AI system. We clarify open points with DORDA.

What prevents uncontrolled AI actions?

Limited rights, human-in-the-loop, escalation rules and audit logs. Critical steps are prepared or handed over to people instead of going through automatically.

Hosting EU
LLM training No provider training
Logs Audit per case
Rights Per system
Handover Human-in-the-Loop
Regulatory GDPR, EU AI Act

Seven principles

This is how we plan security into every setup.

01 · Scope

Clear task instead of open access

A digital employee does not receive general company access. It gets a task: check invoices, prepare tickets, compare master data. Everything else remains outside the scope.

02 · Rights

Roles and rights

Rights are defined for each digital employee: read, write, and approval rights, system limits, data types, and escalation points. The goal is limited agency, not blanket autonomy.

03 · Handover

Human-in-the-Loop

People stay in the process where responsibility lies. If a case is uncertain, outside the rules, or needs a decision, it is referred.

04 · Traceability

Audit logs

Logs show which case was processed, which data was used, which decision was prepared and when it was handed over to a human.

05 · Hosting

EU hosting, no provider training

The backend and deployed LLMs are hosted in the EU. Customer data is not used to train third-party LLMs. For data protection or EU AI Act questions, we provide project-related legal coordination.

06 · Approvals

Write permissions only with limits

A digital employee can prepare actions or carry them out within clear limits. The rights it receives depend on the process, risk, and approval model.

07 · Infrastructure

On-premise is not an exclusion

Not every company works only in cloud systems. Digital employees can also be planned for environments where databases or specialist systems are on-premise.

Before the pilot

We clarify these questions for every pilot.

  1. 01 What task does the digital employee take on?
  2. 02 What data sources does it need?
  3. 03 Which systems are connected?
  4. 04 What rights does it get?
  5. 05 Which actions may it only prepare?
  6. 06 Which cases are escalated?
  7. 07 Which logs are needed?
  8. 08 Who is technically responsible?
  9. 09 Which GDPR, EU AI Act or IT requirements apply?

Our attitude

No blanket guarantee. But clear responsibility.

We do not treat GDPR as a blanket seal because every setup depends on purpose, data, roles, and process. What we do: plan security as architecture, document boundaries and responsibilities, and obtain project-related legal advice on GDPR or EU AI Act questions where needed.

01

Legally tested basic architecture as a starting point.

02

Project-related clarification on GDPR and EU AI Act questions.

03

Technical limits, logs and human approvals in the setup.

Frequently asked questions

Security answered honestly.

How does AI fit with data protection in a company?

AI fits into company processes when tasks, data sources, rights, logs, and approvals are clearly limited. thirdmind plans digital employees with EU hosting, limited data flows, traceable processing, and a view of GDPR and EU AI Act questions.

Are digital employees GDPR compliant?

Data protection depends on the specific setup. thirdmind works with EU hosting, limited data flows, roles, rights, logging, and a basic architecture reviewed by DORDA. If GDPR or EU AI Act questions become relevant in the project, we involve DORDA on a project-specific basis.

Does thirdmind take the EU AI Act into account?

Yes. In the project, we examine which role, risk classification, and transparency obligations may be relevant for the specific AI system. The classification depends on the concrete application; where needed, we clarify open points with DORDA.

Is customer data used for LLM training?

Not for training third-party LLMs. Project-specific customer data can be used as context, a knowledge base, or test material, but not for provider training.

Where are the systems hosted?

Backend and deployed LLMs are hosted in the EU. The specific architecture is determined in the project.

Can a digital employee get write permissions?

Yes, but not automatically. Write permissions depend on the process, risk, and approval rules. It often makes sense to prepare actions first and have people approve them.

How are wrong actions prevented?

Through clear scope, verified data sources, limited rights, escalation rules, human-in-the-loop, and logs. No single mechanism is sufficient on its own.

Who is responsible when a digital employee works?

Responsibility remains clearly assigned inside the company. That is why every digital employee needs a business owner, defined boundaries, and understandable handovers.

Can internal systems or on-premise data be connected?

Yes, such setups are possible. We check in advance which connection makes sense, which data the digital employee really needs, and how the setup can be secured.

Discuss safety

When a digital employee works with real data, security comes first.

Clarify security for a process View digital employees

Yuno asks four short questions and helps determine the appropriate next step: process review, pilot, or security discussion.