Security & Compliance

All inference, storage, and data processing take place on servers physically located in European data centres. No component of the Numero6 stack routes customer data through infrastructure subject to non-European jurisdiction, which supports customers that must keep processing activity within a clearly defined European legal and operational perimeter. For organizations operating in the European Union, this architecture can form part of a GDPR compliance strategy, including processor obligations under Article 28, data protection by design under Article 25, and the international transfer restrictions set out in Chapter V.

Each customer environment is provisioned as a fully isolated virtual machine with dedicated GPU resources. There is no logical or physical sharing of compute, memory, or storage between tenants, which helps preserve clear separation between workloads and reduces dependency on multi-tenant resource contention models. In practical terms, the page positions this as an environment in which one customer workload cannot observe or influence the workloads of another customer.

All data in transit is encrypted using TLS 1.3. Customer storage volumes are encrypted at rest using per-tenant encryption keys, and management interfaces and API endpoints are available only through authenticated, encrypted channels. Framed together, these controls present encryption not as a single feature, but as a baseline requirement applied across transport, storage, and administrative access.

Open WebUI provides role-based access control at multiple levels of granularity, including platform administration, model access, knowledge base access, tool permissions, and API key management. The page also notes support for integration with enterprise identity providers through LDAP, OAuth 2.0, and OIDC for single sign-on scenarios. This gives customers a way to align AI platform access with existing identity and governance practices rather than creating a separate access model that must be administered in isolation.

From August 2026, the EU AI Act introduces new requirements for documentation, risk assessment, and auditability in high-risk AI systems. Numero6 is designed to support these obligations through activity logging, human oversight mechanisms, and documented data governance. Rather than treating compliance as an afterthought, the platform provides an architectural foundation that helps customers operate within a regulated European framework.

Numero6 is designed to support organizations operating under established European regulatory and sector-specific frameworks, including GDPR, the EU AI Act, and the NIS2 Directive. Its architecture is built to align with core requirements around data protection, operational resilience, security governance, and confidentiality, where these apply to the customer’s deployment context. For sector-specific environments, this includes support for HIPAA-aligned data handling in healthcare, MiFID II and DORA considerations in financial services, and confidentiality-sensitive use cases in legal settings.