Scompler AI Security Controls
Scompler AI is built on the same security foundations as the rest of the Scompler platform, with additional controls specific to how we operate AI features. AI processing runs entirely within the European Union on AWS Bedrock, customer data is never used to train models, and all outputs remain under human editorial control.
- Architecture and data residency
- Sub-processors
- Data sent to AI processing
- Model training and tenant isolation
- Retention of prompts, outputs and logs
- Audit logs for AI usage
- Data handling at contract end
- Protection against prompt injection and adversarial attacks
- Safeguards against toxic or inappropriate output
- EU AI Act Article 50(2)
- Alignment with responsible AI practices
- Service level and resiliency
- Incident management
Architecture and data residency
Scompler AI runs on AWS using Amazon Bedrock with EU-only Inference Profiles. Requests are routed only within the European Union, and customer content is processed in the AWS Region used for inference. No data leaves the EU during AI processing.
Scompler uses standard foundation models provided by AWS Bedrock (Amazon Nova and Anthropic Claude). We do not train or fine-tune our own models. Data is encrypted in transit via TLS 1.3 and at rest with AES-256.
Sub-processors
AWS is the only sub-processor involved in handling AI requests. AWS Bedrock does not store, log, or share customer inputs or outputs, and no third-party model providers receive or process this data.
Data sent to AI processing
Depending on the active feature, the following content can be passed to AWS Bedrock for AI inference: topics, stories and articles and their properties; content strategy, personas and content models; object attachments and uploaded documents; and free-text input entered by users in the AI assistant.
The system does not restrict what a user enters into the AI assistant. Personal data can technically be included in prompts if users enter it manually. We recommend avoiding personal data in AI prompts. The customer remains responsible for the lawfulness of all data entered into the AI.
Model training and tenant isolation
AWS Bedrock does not store or log prompts and completions, does not use them to train any models, and does not share them with third parties. AWS documents this commitment in the Bedrock data protection guide.
Within the Scompler platform, the row-level security approach used across the product also applies to AI features. Each user can only access the data rows they are authorized to view or interact with, and AI requests are scoped to those same permissions. Cross-customer data access is architecturally prevented.
Retention of prompts, outputs and logs
AI prompts and outputs sent to AWS Bedrock are not stored or logged by AWS. Retention at the model provider level is effectively zero days.
Within the Scompler platform, AI conversation history is stored to support product functionality such as continuing an existing conversation. This data is stored in the EU (Frankfurt, Germany) and remains available until the associated entity (e.g., topic, story, article) is deleted. Once that entity is removed, the related AI conversation data is also deleted.
Audit logs for AI usage
AWS Bedrock does not store or log prompts or outputs, so no model-level audit logs are generated at the AWS layer.
Within the Scompler platform, AI usage is recorded as part of the standard product audit trail. These events capture who performed an action, when it occurred, and what type of AI function was used. Prompts and outputs are not included in audit logs; conversational content remains within the relevant conversation and follows its retention rules.
Data handling at contract end
All customer data stored in the Scompler platform is deleted within 30 days after the contract end date, or after an agreed data export handover, whichever comes first. Customers can export their data at any time before termination, and we recommend doing so before the contract ends.
At the AWS Bedrock layer, no additional deletion step is required, as prompts and outputs are not stored at any point.
Protection against prompt injection and adversarial attacks
Protection is implemented at multiple layers.
At the model level, Amazon Nova and Anthropic Claude include built-in alignment and safety mechanisms designed to resist adversarial inputs and instruction-override attempts. These protections are always active.
At the infrastructure level, all model access is API-only via AWS Bedrock. There is no direct model access or exposure of model files, which significantly limits the attack surface.
At the application level, Scompler AI can only access data within the requesting user's existing permissions. All outputs are presented as drafts subject to human review, and no autonomous actions are executed.
Model and data poisoning are not applicable, as Scompler does not train or fine-tune custom models.
Safeguards against toxic or inappropriate output
Amazon Nova and Anthropic Claude include built-in content safety systems covering categories such as hate speech, sexual content, violence and self-harm. These are always active. Scompler is also evaluating additional configurable safeguards as part of its ongoing security management process.
EU AI Act Article 50(2)
Article 50(2) of the EU AI Act requires that outputs of generative AI systems be marked in a machine-readable format and detectable as artificially generated.
Scompler uses foundation models provided by AWS and Anthropic via AWS Bedrock and does not develop or fine-tune its own AI models. We therefore rely on these providers to implement the technical mechanisms required by Article 50(2), such as metadata-based tags, invisible watermarking, and C2PA specifications for visual media. For text generation, which is the current focus of Scompler AI, both AWS and Anthropic prioritise transparency through their AI service cards and voluntary safety commitments.
Article 50(2) also includes an exemption for AI systems that perform an assistive function for standard editing or do not substantially alter the input data. Scompler AI operates strictly as an assistive tool, with all outputs subject to human review and editorial control, so its use falls within the scope of this exemption.
Alignment with responsible AI practices
Scompler is not formally certified against a specific AI standard. We align our development and deployment practices with widely accepted responsible-AI principles and the current state of the art:
- Human in the loop by design: Scompler AI is strictly assistive, users initiate actions and retain full control.
- Permission-bounded operation: Scompler AI can only access or create data within the requesting user's existing permissions.
- Transparency: we communicate how Scompler AI works and aim for predictable, explainable interactions.
- Use of reputable foundational model providers (AWS and Anthropic) who themselves align with major frameworks.
- Continuous evaluation: we monitor system behaviour and update our practices as technology and standards evolve.
Service level and resiliency
Scompler AI is covered by the same SLA as the main Scompler platform: 99.5% availability per calendar month, multi-AZ AWS deployment for redundancy, encrypted backups, and planned maintenance windows announced at least 48 hours in advance. Full SLA documents are available in German and English at https://scompler.com/en/terms-and-conditions/.
Incident management
Security incidents affecting AI features follow the same structured incident management process used across the Scompler platform, governed by our ISO 27001-certified ISMS. Incidents can be reported through the support chat or via support@scompler.com, and data breaches are handled in line with GDPR notification obligations.