Security & Assurance
High-level summary of Omilia’s security architecture
Encryption
All data communications are secured using industry-standard TLS/SSL encryption to protect data in transit. Sensitive data at rest is encrypted with strong, industry-standard algorithms, and cryptographic keys are managed following secure, documented procedures. Furthermore, during data processing, encryption and access controls are applied to data in use, with logical separation maintained between tenants to prevent any cross-customer data exposure.
Network Defense
Omilia protects its internal network with firewalls, perimeter control devices, and strict Network Access Control (NAC), ensuring only compliant devices connect. Remote access requires strong passwords and Multi-Factor Authentication (MFA). All endpoints and servers are protected by centrally monitored anti-malware software. Security monitoring, daily log reviews, and near-real-time alerts are in place, supported by a formal protocol for incident investigation, documentation, and escalation.
Access Controls
Omilia ensures robust access control through formal procedures for assigning, modifying, or revoking user access rights, all of which are documented and approved. We utilize Role-Based Access Control (RBAC) to enforce the “need-to-know” principle, limiting users to only the information required for their job.
Compliance & Governance
Certifications: Omilia is certified under ISO 27001:2022 and SOC 2 Type II, and aligns with PCI-DSS for payment data.
Annual risk and vulnerability assessments are conducted, with controls updated to address new threats. Security controls undergo internal and external audits, and findings are promptly remediated.
Data Protection & Privacy
This section details how different categories of personal data are handled.
- Data Processing Agreement (DPA)
- Subprocessors
- Privacy Notice: www.omilia.com and ocp.ai.
- Cookies Policy: www.omilia.com and ocp.ai
- Candidates Privacy Policy
AI & Ethical Governance
This policy outlines our fundamental commitment to the responsible, lawful, and ethical use of all AI technologies across our organization
Omilia is committed to leveraging the power of Artificial Intelligence to build exceptional SaaS products and optimize our operations. This policy outlines our fundamental commitment to the responsible, lawful, and ethical use of all AI technologies across our organization, ensuring we build and deploy systems that are beneficial, safe, and aligned with global standards of governance and risk management.
Purpose and Commitment
Our goal is to promote AI-driven innovation while rigorously mitigating the inherent risks associated with the development, deployment, and use of AI systems. We are guided by and committed to aligning with the spirit and requirements of applicable global frameworks and standards, including, but not limited to:
- ISO/IEC 42001:2023 (AI Management System)
- ISO/IEC 5338:2023 (AI System Lifecycle)
- The EU AI Act (particularly concerning high-risk applications)
- The NIST AI Risk Management Framework
Our Core AI Guiding Principles
Every AI system and its application at Omilia must strictly adhere to the following core ethical and operational principles throughout its entire lifecycle:
| Principle | Omilia’s Commitment and Action |
|---|---|
| 1. Transparency & Explainability | We ensure clear documentation of all AI systems’ logic, data sources, and intended purpose. Users must be informed when they are interacting with an AI system, and we will strive to provide meaningful explanations for significant automated decisions. |
| 2. Accountability & Governance | Clear owners are assigned and held responsible for each AI application, including its performance, compliance, and risk profile. We maintain a formal governance process to review, approve, and audit all AI deployments. |
| 3. Fairness & Non-Discrimination | We actively implement measures to prevent, detect, and mitigate bias and discriminatory outcomes. AI systems must treat similarly situated individuals and groups equitably and comply with all anti-discrimination laws. |
| 4. Privacy & Security | We guarantee compliance with all applicable data protection and privacy laws (e.g., GDPR, CCPA). We ensure robust security controls are applied to all AI training and inference data, upholding secure processing and data minimization. |
| 5. Human Oversight & Safety | AI systems are designed to augment human decision-making, not replace it, especially in critical or high-stakes use cases. A human-in-the-loop is required to cross-check content, validate data, and exercise final judgment over outputs that significantly impact users or operations. |
Risk Management and Compliance
Omilia approaches AI deployment with a proactive, risk-based methodology. All new AI systems and use cases undergo a formal risk assessment aligned with the NIST AI RMF to identify potential risks related to safety, bias, data quality, and security. Any AI system identified as “High-Risk” (as defined by applicable regulation) is subject to heightened scrutiny, rigorous testing, and mandatory pre-deployment regulatory review and audit. We employ ongoing monitoring of deployed AI systems to detect performance degradation, drift, unexpected outcomes, and potential compliance violations.
Customer Data Processing and AI Training at Omilia
Omilia views customer data as a confidential asset. Our data architecture and contractual agreements are designed to provide customers with the highest level of assurance regarding the integrity, security, and dedicated use of their data within our AI services. We operate on a strict principle of data minimization and client segregation when utilizing customer data within our AI systems. We do not use one client’s proprietary data for any other client’s AI model improvement.
Corporate & Social Compliance
Omilia Whistle-blowing Policy: Speaking Up for Integrity
Omilia is committed to maintaining the highest standards of integrity, transparency, and ethical conduct across our global operations. This policy provides a framework for the timely and confidential reporting of serious concerns (whistleblowing) regarding potential illegal, unethical, or improper activities within our company.
Who Can Report?
Protection and the right to report under this policy extend broadly to include:
- Current, former, and potential Omilia employees.
- Contractors, consultants, self-employed persons, and trainees (paid or unpaid).
- Shareholders and members of administrative, management, or supervisory bodies.
- Any person working under the supervision of Omilia’s contractors or suppliers.
What to Report
Whistleblowing is the intentional disclosure of actual, potential, or expected significant irregularities, violations, or punishable acts concerning Omilia employees or executives.
These breaches include, but are not limited to, violations concerning:
- Financial crimes (e.g., money laundering, fraud, breaches affecting EU financial interests).
- Public health, product safety, and transport safety.
- Protection of privacy, personal data, and security of network systems.
- Breaches of corporate tax rules, competition, or bribery laws (including venality and influence peddling).
- Corruption or serious unethical behaviour.
Whistleblower Protection and Guarantees
The basic and inviolable principle of this policy is the protection and confidentiality of the whistleblower.
Confidentiality and Anonymity
- Confidentiality: Omilia is committed to protecting the anonymity and confidentiality of the reporter’s identity.
- Encouraged Disclosure: While anonymous allegations are examined based on their merits, we encourage individuals to identify themselves. This greatly facilitates thorough investigation, as it allows the Officer to request clarifying information.
- Legal Limits: The revelation of a whistleblower’s identity will only occur if required by a court or legal procedure, and the whistleblower will be notified if possible.
Protection from Retaliation
Omilia commits to protecting any whistleblower who makes a disclosure in good faith from any retaliatory actions concerning their current position or future professional development.
Whistleblowing Process: How to Report
A. Internal Reporting Channel
Concerns can be submitted via our dedicated and secure mailbox, which supports both identified and anonymous reporting:
| Internal Reporting Channel | Email Address |
|---|---|
| Omilia Whistleblowing Mailbox | [email protected] |
To facilitate investigation, your disclosure should clearly include:
- The facts giving rise to the suspicion/concern.
- Reference to names, dates, documents, and locations, if available.
- The reason for submitting the disclosure.
- (Note: The disclosure itself is not expected to constitute proof, but full available information is encouraged.)
→ For Omilia Cyprus contracted Omilians: Notice regarding the processing of personal data in the context of whistleblowing channel operation
→ For Omilia Greece contracted Omilians: Notice regarding the processing of personal data_whistleblowing scheme_GR.docx
B. The Reporting Officer
A dedicated Officer for Receipt and Follow Up on Reports (the “Officer”) is responsible for:
- Receiving the report and confirming receipt within seven (7) days.
- Performing an initial assessment and assigning the case for investigation.
- Informing the reporter about the actions taken within a reasonable timeframe, not exceeding three (3) months.
- Ensuring the confidentiality of all involved parties.
C. Data Security and Retention
All personal data collected during the whistleblowing process is handled in strict accordance with applicable personal data protection laws. Data is:
- Stored securely with encryption and access controls.
- Accessible only to authorized personnel involved in the investigation.
- Deleted within 30 days of case closure, unless legally required otherwise.
D. External Reporting Option
If a whistleblower reasonably believes their report cannot be effectively addressed internally (e.g., due to a conflict of interest) or if there is a risk of retaliation, they have the option to report directly to an external competent authority.
- In Greece, this authority is the National Transparency Authority (NTA):
- Website: https://aead.gr/en/contact-us-en/
- The NTA accepts reports electronically, in writing, or orally via phone/face-to-face meeting.
In Cyprus, depending on the nature of the breach, competent authorities may include:
- the Cyprus Police or the Attorney General (for criminal offences),
- the Independent Authority Against Corruption (for corruption‑related matters), or
- the Office of the Commissioner for Personal Data Protection (for personal data matters).
Accessibility: WCAG testament
Omilia is committed to providing an accessible website experience for all users. Our website is partially conformant with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA, meaning some parts of the content may not fully meet the accessibility standard. We welcome your feedback and encourage you to contact us at [email protected] if you encounter any accessibility barriers. We aim to respond within 10 business days. This statement was last updated on 28 May 2025.
Responsible innovation & Inclusion statement
We are committed to responsible innovation and ethical business practices—designing our AI solutions to be inclusive, accessible, and non-discriminatory, in line with the EU AI Act, the European Accessibility Act (EAA), the Web Content Accessibility Guidelines (WCAG), and the General Data Protection Regulation (GDPR). We do not tolerate discrimination of any kind and ensure that all employees are treated with dignity, fairness, and respect, regardless of gender, age, race, religion, disability, sexual orientation, or any other protected characteristic. Our business is guided by the principles of transparency, accountability, and social responsibility.
Data Subject Rights Request Process: Your Data, Your Rights
Omilia respects your fundamental rights regarding your personal data. This page outlines how you can exercise the rights granted to you under the General Data Protection Regulation (GDPR), ensuring a transparent and reliable process for accessing, modifying, or deleting your information.
1. How to Submit a Data Rights Request (DSAR)
We have established a dedicated, secure channel for you to exercise your rights.
| Request Channel | Email Address |
|---|---|
| Data Protection Officer (DPO) Request Submission | [email protected] |
In all cases, we must be able to verify your identity to proceed.
2. Our Procedure and Response Timeline
We adhere to strict regulatory guidelines to ensure your request is handled promptly and securely:
| Step | Detail |
|---|---|
| Verification | We must first confirm your identity. We may request proof (such as a certified copy of a National ID or Passport) to ensure we share data only with the rightful owner. We cannot act on a request if we cannot establish your identity. |
| Initial Response | We will respond to your request without undue delay and within a maximum of one month from receipt. |
| Complexity Extension | For complex or numerous requests, we may extend the response time by up to two additional months. If this happens, we will inform you of the delay and the reasons within the initial one-month period. |
| Cost | Generally, all responses to requests are provided free of charge. We will only charge a reasonable fee or refuse a request if it is considered “manifestly unfounded or excessive.” |
| Rejection and Appeal | If we decline your request, we will inform you of the reason(s) for the rejection and advise you of your right to lodge a complaint with the relevant supervisory authority. |
3. Your Rights Under the GDPR
As a data subject, you have the following key rights concerning the personal data Omilia holds about you:
- Right of Access (DSAR): You have the right to ask if we process your data, receive a copy of that data, and be informed about the purposes, categories of data, recipients, and retention periods.
- Right to Rectification: You can request that we correct inaccurate personal data or complete incomplete data we hold about you.
- Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data when it is no longer necessary for the purpose it was collected, or if you withdraw consent (subject to legal exceptions).
- Right to Restriction of Processing: You can request that we limit how we process your data, for example, while we investigate its accuracy or if you contest its processing legality.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.
- Right to Object: You can object to processing based on our legitimate interests or for direct marketing purposes (in which case we must stop processing immediately).
- Rights related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that significantly affects you, and to insist on human intervention.
- Right to Withdraw Consent: If we process your data based on your consent, you have the right to withdraw that consent at any time.
4. Note for Customer Data (Omilia as a Processor)
In many cases, Omilia acts as a Data Processor, meaning we process data on behalf of our customer (the Data Controller). This means:
Omilia will assist our customer (the Data Controller) in responding to your request according to the terms of our contract with them, but the ultimate responsibility for the response lies with the Data Controller.
If you are a customer of an Omilia client (e.g., your bank or telecom provider), your request must be directed to that company (the Data Controller) first.