omega123.ai
Documentation
Legal

© 2026 OSOS/Omega. All rights reserved.

Omega version: 0.1.0

Certificates and Security Notes

Product: OSOS / Omega

Provider: Osos AI GmbH, Cosimastraße 121, 81925 Munich, Germany

Effective Date: 30.04.2026

Version: 1.0

Relationship to other documents: These notes are an annex to the EULA and concretize — together with the TOM annex of the DPA and the AI Data Policy — the security and compliance measures implemented by the Provider.

> Note: This document serves to transparently inform about the status, scope, and verifiability of the standards listed. The inclusion of a standard does not constitute an independent contractual guarantee beyond the scope of services agreed in the Main Agreement, unless expressly indicated otherwise ("Status" entries).

1. Overview

Standard / Norm Status Scope Type of Evidence
ISO/IEC 27001 (ISMS) [certified / in preparation] Cloud platform, development and operations organization Certificate of an accredited body
ISO/IEC 27017 (Cloud Security) [addressed / certified / planned] Cloud provision Statement of Applicability
ISO/IEC 27018 (PII in Public Cloud) [addressed / certified / planned] Cloud provision Statement of Applicability
ISO/IEC 27701 (PIMS, GDPR extension) [certified / in preparation] Privacy Information Management Certificate
ISO/IEC 42001 (AI Management System) [certified / in preparation] AI management, AI components of OSOS / Omega Certificate
SOC 2 Type II (Trust Services Criteria) [report available / in preparation] Cloud platform Audit report (on request / NDA)
TISAX® (Automotive Information Security) [Label / AL2 / AL3 / in preparation] Automotive customers, processing of sensitive content TISAX label in ENX portal
BSI C5 (Cloud Computing Compliance Criteria Catalogue, Germany) [Type 1 / Type 2 / in preparation] Cloud provision in EU/DE Audit report
EU AI Act (Reg. (EU) 2024/1689) addressed AI components Conformity documentation, see AI Data Policy
GDPR / BDSG addressed Processing of personal data DPA, ROPA, TOM

> The currently valid versions of certificates, audit reports, and statements are available in the Provider's Trust Center at [Link Trust Center] or are made available on request after conclusion of an NDA.

2. Notes on Individual Standards

2.1 ISO/IEC 27001 – Information Security Management System (ISMS)

ISO/IEC 27001 specifies requirements for an established Information Security Management System. The Provider operates its ISMS based on this standard; the scope of application includes the development, operation, and provision of the OSOS / Omega Cloud Software and the associated support and professional services processes.

Essential components are: risk analysis and treatment, security policies, asset management, access controls, cryptography, physical security, operations and communications security, supplier management, incident management, business continuity, and regular internal and external audits.

2.2 ISO/IEC 27017 and ISO/IEC 27018

ISO/IEC 27017 extends ISO 27001 with cloud-specific security controls. ISO/IEC 27018 supplements measures for the protection of personal data (PII) in public cloud environments. Both standards are taken into account in the Provider's Statement of Applicability; the hyperscalers used hold corresponding certifications themselves.

2.3 ISO/IEC 27701 – Privacy Information Management System (PIMS)

ISO/IEC 27701 extends ISO 27001/27002 with requirements for a privacy management system and represents a recognized evidence of GDPR conformity at the organizational level.

2.4 ISO/IEC 42001 – AI Management System

ISO/IEC 42001 is the first international standard for management systems in the field of artificial intelligence. It addresses the responsible development and provision of AI systems, including risk management, transparency, explainability, human oversight, bias management, and continuous improvement.

The Provider operates its AI Management System according to ISO/IEC 42001; the scope is the AI components of OSOS / Omega. Detailed rules can be found in the AI Data Policy.

2.5 SOC 2 Type II

SOC 2 (Service Organization Control 2) Type II is a US audit standard according to AICPA. The report attests the operating effectiveness (over an observation period, generally 6–12 months) of the controls along the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The Provider provides SOC 2 Type II reports to interested customers upon request and after conclusion of an NDA.

2.6 TISAX® – Trusted Information Security Assessment Exchange

TISAX® is the industry standard for information security established by the automotive industry (ENX Association / VDA-ISA). It addresses in particular the protection of confidential information, prototype protection, and data protection in the supply chain.

The Provider strives for — or holds — a TISAX label at the assessment level relevant for its risk and data classification profile (typically AL2 or AL3). The label is — subject to ENX publication release by the customer — visible in the ENX portal.

2.7 BSI C5 (Cloud Computing Compliance Criteria Catalogue)

The C5 catalogue, published by the German Federal Office for Information Security (BSI), is the established requirements catalogue for cloud providers in Germany and the EU public sector. The audit takes the form of an auditor's attestation according to IDW PS 951 (Type 1: design / Type 2: effectiveness over a period).

2.8 EU AI Act

Regulation (EU) 2024/1689 (EU AI Act) governs the placing on the market and use of AI systems in the EU. The Provider documents the conformity of OSOS / Omega according to the respective risk classification and provides, for high-risk use cases at the Licensee's side, the relevant provider documentation upon request (e.g. according to Art. 11, 13 AI Act). Details can be found in the AI Data Policy, Section 10.

2.9 GDPR / BDSG

For the processing of personal data on behalf of the Licensee, the Data Processing Agreement (DPA) including the TOM annex and the subprocessor list applies. In all other respects, the requirements of GDPR and BDSG are addressed by the ISMS / PIMS.

3. Hosting, Processing Regions, and Subprocessors

3.1 Hosting

The Cloud Software is hosted in certified data centers that comply at least with the requirements of the aforementioned standards. The default hosting region for customers headquartered in the EEA is the European Union (typically Frankfurt/Germany and/or other EU locations; see Order Form or Trust Center for specifics).

3.2 EU-only Configuration

Upon request and — where available — processing can be restricted to EU resources ("EU Data Boundary"). This must be agreed in the Order Form.

3.3 Subprocessors

The current list of all subprocessors (incl. AI subprocessors, hosting, monitoring, support tools) is available at [Link Subprocessor List]. Notification and objection rights arise from the DPA.

4. Core Security Mechanisms (excerpt)

The following list supplements the measures described in the TOM annex to the DPA:

  • Encryption in transit (TLS 1.2+, mTLS for internal connections) and at rest (AES-256);
  • Identity and access management with Single Sign-On (SAML 2.0, OIDC), enforced MFA, role-based authorization concept (RBAC), and granular audit logs;
  • Tenant separation (multi-tenant) and — on demand — single-tenant or private-cloud deployment;
  • Management of cryptographic keys in a dedicated Key Management System; optionally customer-managed keys upon agreement;
  • Backup and disaster recovery concept with defined RPO/RTO, regular restore tests, and — where appropriate — geo-redundant storage;
  • Vulnerability and patch management, regular penetration tests, and a bug bounty program or responsible disclosure procedure;
  • Secure Software Development Lifecycle (SSDLC) with static and dynamic code analysis, dependency scanning, and code review;
  • Employee onboarding with commitment to data secrecy and confidentiality, regular awareness and data protection training;
  • 24/7 monitoring of security-relevant events, documented incident response procedure with defined escalation paths;
  • AI-specific protective measures: input sanitization, output filtering, protection against prompt injection, allow/deny lists, model-specific monitoring (see AI Data Policy).

5. Industry-Specific Notes (informative)

OSOS / Omega supports engineering processes according to common industry-specific standards. The following list serves as orientation; an independent tool qualification ("Tool Confidence Level") is not performed by the Provider unless separately agreed (cf. EULA Section 17).

  • Automotive: Automotive SPICE, ISO 26262 (Functional Safety), ISO/SAE 21434 (Cybersecurity Engineering), IATF 16949;
  • Aerospace: DO-178C, DO-254, ARP4754A;
  • Medical Devices: IEC 62304, ISO 13485, ISO 14971;
  • Railway: EN 50128, EN 50657;
  • Industrial: IEC 61508.

To support tool qualification processes, the Provider provides relevant documentation (e.g. Tool Operational Requirements, Use Cases, test protocols) on request and against remuneration.

6. Currentness and Changes

The status and scope of the certificates, audits, and conformity evidence listed here are regularly updated. The current version of this document and the underlying evidence is available via the Provider's Trust Center.

Material changes to the certification status are communicated to Licensees with an active Main Agreement by suitable means (e.g. Trust Center update, email to designated contact persons).

7. Contact and Trust Center

  • Trust Center: [Link Trust Center]
  • Security contact: [security@provider.com]
  • Privacy contact: [privacy@provider.com]
  • Vulnerability Disclosure: [security.txt / Link]
  • Postal address: [Provider GmbH, Address]