Pauhu for Government
Data Sovereignty and Compliance — A guide for CISOs, DPOs, and compliance officers evaluating Pauhu® for public sector use.
1. Data Sovereignty
Pauhu operates exclusively within the European Union. Every layer of the platform — storage, compute, databases, vector indexes, and AI models — is provisioned with EU jurisdiction constraints.
- All data stored and processed in the EU (Helsinki, Finland).
- No third-country transfers under GDPR Articles 44–49. All vendors are EU-only.
- Object storage buckets are created with EU jurisdiction enforcement. Data cannot be replicated outside the EU.
- All relational databases are provisioned with
--location eu, ensuring data-at-rest remains within EU borders. - All compute workers run with explicit EU jurisdiction placement. Requests are served from EU edge locations only.
The data controller is Pauhu Ltd, a Finnish limited company registered in Helsinki.
2. GDPR Article 25 — Privacy by Design
Pauhu implements privacy by design and by default as required by GDPR Article 25.
Browser-native inference
AI inference runs entirely in the user’s browser using ONNX Runtime Web. Search queries and document content are processed locally on the device. No user query data is transmitted to Pauhu servers during inference.
No server-side query logging
Pauhu does not log, store, or process user search queries on the server side. The server provides pre-scored data; the browser performs inference. This architectural decision eliminates query-level data collection at the design level, not merely by policy.
Encryption at rest
All data at rest is encrypted using AES-256-GCM. Encryption keys are managed by the infrastructure provider and rotated automatically. Customer data is never stored in plaintext.
EU-only processing
All server-side processing — data ingestion, annotation, indexing, and model serving — occurs within EU jurisdiction. No data processing is offshored or delegated to non-EU subprocessors.
3. GDPR Article 32 — Security of Processing
Pauhu implements technical and organisational measures appropriate to the risk, in accordance with GDPR Article 32.
IEC 62443-3-3 zone model
The platform follows the IEC 62443-3-3 industrial security standard. Infrastructure is divided into security zones (Protected, Controlled, External, Business, Audit) with conduit-controlled data flows between them. Each zone has an assigned Security Level (SL-0 through SL-4).
Authentication security
All authentication comparisons use timing-safe operations (crypto.subtle.timingSafeEqual) to prevent timing side-channel attacks. API keys are hashed with SHA-256 before storage; full keys are shown only once at creation time.
Content integrity
Document content is verified using SHA-256 checksums at ingestion and retrieval. AI models are signed with Ed25519 digital signatures. Model integrity is verified before any inference operation.
Transport and access controls
- All traffic encrypted with TLS 1.3. Post-quantum key exchange (X25519Kyber768) is supported on compatible browsers.
- No wildcard CORS policies. Cross-origin access is restricted to explicitly allowed origins.
- Administrative endpoints require authenticated access. No public admin interfaces.
4. NIS2 Compliance
Pauhu has self-assessed as an Important Entity under the NIS2 Directive (Directive (EU) 2022/2555), Article 21.
Cybersecurity risk management
Pauhu implements the cybersecurity risk-management measures required by NIS2 Article 21, including:
- Risk analysis and information system security policies.
- Incident handling procedures with defined escalation paths.
- Business continuity and crisis management (browser-native architecture enables offline capability).
- Supply chain security — all vendors are EU-based; no third-country dependencies in the critical path.
- Security in network and information systems acquisition, development, and maintenance.
- Cryptographic controls including post-quantum readiness.
Incident reporting
Significant incidents are reported to the competent authority in Finland:
- Authority: Finnish Transport and Communications Agency (Traficom), National Cyber Security Centre (NCSC-FI)
- Reporting channel: kyberturvallisuus@traficom.fi
- Timeline: Early warning within 24 hours, incident notification within 72 hours, final report within one month (per NIS2 Article 23).
5. Traficom Requirements
As an entity under Finnish national NIS2 implementation, Pauhu fulfils the following Traficom-related obligations:
| Requirement | Status | Detail |
|---|---|---|
| NIS2 Art. 27 notification | Pending | Notification to Traficom in progress. |
| Cyber security certification | In scope | IEC 62443-3-3 zone model implemented. Certification pathway under evaluation. |
| Vulnerability disclosure | Implemented | security.txt published per RFC 9116. Responsible disclosure policy in place. |
| Data Protection Officer | Appointed | Contact: dpo@pauhu.ai |
| Incident reporting | Implemented | Procedures aligned with NIS2 Art. 23 timelines (24h / 72h / 1 month). |
6. Data Residency Guarantees
Every infrastructure component is constrained to EU jurisdiction. The following table provides a complete residency map:
| Component | Type | EU Constraint |
|---|---|---|
| Object storage (R2) | File & model storage | EU jurisdiction buckets. Data cannot leave EU. |
| Relational databases (D1) | Structured data | Created with --location eu. Data at rest in EU. |
| Vector indexes (Vectorize) | Semantic search | EU-located. Embeddings stored and queried in EU. |
| Compute workers | Server-side logic | jurisdiction = "eu" on all workers. EU-only execution. |
| AI models (ONNX) | Machine learning inference | Stored in EU R2 buckets. Served to browser for local inference. |
| DNS and edge | Traffic routing | EU edge locations. TLS termination in EU. |
| Queue processing | Async data pipeline | EU-located queues. No cross-region message routing. |
7. Procurement Compatibility
Pauhu is designed to be compatible with EU and Finnish public procurement frameworks.
| Framework | Compatibility |
|---|---|
| Directive 2014/24/EU (Public Procurement) | Pauhu can be procured as a SaaS platform under standard public procurement procedures. |
| Hansel dynamic purchasing system | Planned. Pauhu intends to register on the Hansel framework for Finnish government procurement. |
| ESPD (European Single Procurement Document) | ESPD-compatible. Self-declarations available upon request. |
| Finnish Y-tunnus (business ID) | Will be provided at launch. Pauhu Ltd is a Finnish limited company. |
| eInvoicing (Directive 2014/55/EU) | Pauhu supports electronic invoicing in Finvoice and PEPPOL BIS Billing 3.0 formats. |
Deployment options
- SaaS (standard): Hosted by Pauhu Ltd on EU infrastructure. No installation required. Browser-native AI runs locally.
- Dedicated instance: Available for large government customers requiring isolated infrastructure. Contact sales for details.
8. Contact
For government evaluations, security questionnaires, or procurement enquiries:
| Department | Purpose | |
|---|---|---|
| Data Protection Officer | dpo@pauhu.ai | GDPR enquiries, data subject requests, DPIA support |
| Security | security@pauhu.ai | Security questionnaires, vulnerability reports, incident contact |
| Sales & Procurement | api@pauhu.eu | Pricing, procurement frameworks, government contracts |
Full documentation: Documentation index