Trust center
Unplex is built for legal and compliance professionals who cannot afford data leaks, cross-border transfers, or AI training on confidential content. Every architectural decision we make starts with your clients’ data staying yours.
Our data guarantee
- Tenant Isolation. Your data is never available to other customers
- EU/EEA data residency. No transfers to entities outside Switzerland or the EU/EEA
- Zero AI training. Your prompts and completions are never used to train AI models.
- No third-party enrichment. Your data is never used to improve any third-party service.
Compliance
BRAO & BGFA
GDPR & DSG
FINMA
ISO 27001
Controls
Updated 23.02.2026
Infrastructure security
Capacity management
Password policy enforced
Data encryption utilized
Data and privacy
Capacity management
Password policy enforced
Data encryption utilized
Organizational security
Capacity management
Configuration management
Data encryption utilized
Product security
Capacity management
Configuration management
Data encryption utilized
Internal security procedures
Password policy enforced
Configuration management
Data encryption utilized
Subprocessors
Infomaniak
Cloud Infrastructure
Switzerland
Microsoft
LLM provider
EU/EEA
Amazon Web Services
LLM provider
EU/EEA
DeepL
LLM provider
EU
Controls
Infrastructure security
CONTROLS
STATUS
Capacity management
The use of resources are monitored and adjusted in line with current and expected capacity requirements.
Password policy enforced
The company requires passwords for in-scope system components to be configured according to the company's policy.
Configuration management
Configurations, including security configurations, of hardware, software, services and networks are established, documented, implemented, monitored and reviewed.
Information security for use of cloud services
Processes for acquisition, use, management and exit from cloud services are established in accordance with the organization's information security requirements.
PII transmission controls for processor
The company encrypts PII in transit.
PII transmission controls for controller
The company implements technical controls to ensure data transmitted to third parties reaches its destination.
Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.
Remote access encrypted enforced
The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Data transmission encrypted
The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
Information transfer
Information transfer rules, procedures, or agreements are in place for all types of transfer facilities within the organization and between the organization and other parties.
Use of cryptography
Rules for the effective use of cryptography, including cryptographic key management, are defined and implemented.
Logging
Logs that record activities, exceptions, faults and other relevant events are produced, stored, protected and analysed.
Monitoring activities
Networks, systems and applications are monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
Organizational security
CONTROLS
STATUS
Continuity and Disaster Recovery plans
The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.
ICT readiness for business continuity
ICT readiness is implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Information backup
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Planning of Changes
When the organization determines the need for changes to the information security management system, the changes are carried out in a planned manner.
Installation of software on operational systems
Procedures and measures are implemented to securely manage software installation on operational systems.
Change management
Changes to information processing facilities and information systems shall be subject to change management procedures.
Access revoked upon termination
The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.
Information security roles and responsibilities
Information security roles and responsibilities shall be defined and allocated according to the organization needs.
Segregation of duties
Conflicting duties and conflicting areas ofresponsibility shall be segregated.
Screening
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis, proportional to the business requirements and classification of information accessed.
Screening
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis, proportional to the business requirements and classification of information accessed.
Responsibilities after termination or change of employment
Information security responsibilities and duties that remain valid after termination or change of employment are defined, enforced and communicated to relevant personnel and other interested parties.
Confidentiality or non-disclosure agreements
Background verification checks on all candidates to become personnel are carried out prior to joining the organization and on an ongoing basis, proportional to the business requirements and classification of information accessed.
Product security
CONTROLS
STATUS
Incident response policies established
The company has security and privacy incidentresponse policies and procedures that are documented and communicated toauthorized users.
Addressing information security within supplier agreements
Relevant information security requirements are established and agreed with each supplier based on the type of supplier relationship.
Information security incident management planning and preparation
The organization planw and prepares for managing information security incidents by defining, establishing and communicating information security incident management processes, roles andresponsibilities.
Assessment and decision on information security events
The organization assesses information security events and decides if they are to be categorized as information security incidents.
Response to information security incidents
Information security incidents shall be responded to in accordance with the documented procedures.
Learning from information security incidents
Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
Collection of evidence
The organization shall assess information security events and decide if they are to be categorized as information security incidents.
Information security during disruption
The organization has established a plan how to maintain information security at an appropriate level during disruption.
Information security event reporting
The organization provides a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Equipment maintenance
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
Network firewalls utilized
The company uses firewalls and configures them to prevent unauthorized access.
Segregation of networks
Groups of information services, users and information systems shall be segregated in the organization's networks.
Internal security procedures
CONTROLS
STATUS
Resources
The organization determines and provides the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.
Information security in project management
Information security is integrated into project management.
Privacy impact assessment
The organization performs a privacy impact assessment for processing or changes to processing, which represent a high risk to the rights and freedoms of data subjects.
General actions to address risks and opportunities
The organization considers risks and opportunities when planning for the ISMS, and plans actions to address them, integrates them into ISMS processes, and evaluates their effectiveness.
Information security risk assessment
The organization defines and applies an information security risk assessment process establishing risk criteria, identifying and analysing risks, and evaluating them against acceptance criteria.
Information security risk treatment
The organization defines and applies an information security risk treatment process, selects treatment options, determines controls, produces a Statement of Applicability, formulates a treatment plan, and obtains risk owner approval.
Information security risk assessment (periodic)
The organization performs information security risk assessments at planned intervals or when significant changes are proposed or occur.
Information security risk treatment (documented results)
The organization retains documented information of the results of the information security risk treatment.
Infomaniak
Cloud Infrastructure
Data and privacy
CONTROLS
STATUS
Data transmission encrypted
The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
Remote access encrypted enforced
The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.
Sub-Processors
For each sub-processor that we use, we apply the principles of least privilege. This means that each third-party system shall only have access to the minimum data required to fulfill its purpose.