// Trust & Security Report
Dixa ApS
Agentic Customer Service Platform
Certifications held
3
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on dixa.com“SOC 2 Type II is an extensive auditing process that requires organizations to follow rigorous policies regarding the secure handling of their clients' data consistently over time. While Type I is a point-in-time audit, the Type II report continuously evaluates and verifies an organization's compliance with the AICPA's Trust Services Criteria over an extended period.”
Verify on app.vanta.com“Reports visible in Vanta trust portal: SOC 2 Type II 2024, SOC 2 Type II 2025, SOC 2 Type II 2026”
Verify on dixa.com“Dixa ensures that the main storage of Customer Personal Data is located in the European Union. As part of the Agreement, Dixa requires the Customer to enter into a Data Processing Agreement.”
> Show 3 unconfirmed / not-held certifications
source: dixa.comNo direct claim of ISO 27001 certification found on vendor's own domain. DPA references ISO 27701 and ISAE 3000 DK-GDPR as acceptable audit evidence from third parties, but Dixa does not itself claim ISO 27001.
source: dixa.comStripe handles our payments and credit card data. Stripe is a level 1 PCI Service Provider, which is the highest level of certification for payment services. Dixa itself does not store or process payment card data.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
EU (primary: AWS Ireland / eu-west-1; daily backup in a second EU physical location)
No explicit policy statement found regarding whether customer conversation data is used to train AI models. The privacy policy (last updated Nov 25, 2021, predating all current AI features) contains a broad 'Development' clause: 'Information is used to analyze usage trends and preferences... to develop new products, services, feature, and functionality.' Dixa routes AI processing through Azure OpenAI (Microsoft) and Anthropic as sub-processors; enterprise tiers of both providers do not train on customer data by default, but Dixa's own contract terms with end customers do not explicitly state this protection. Customers should request confirmation via the Dixa AI Product and Security Questionnaire available on the trust portal.
// Security controls
Data hosting
AWS EMEA SARL (Luxembourg entity); primary storage in Ireland (eu-west-1); daily backup to a second EU physical location
dixa.comEncryption in transit
HTTPS/TLS (SSL certificates) for all browser-to-platform communication; also applied to end-customer chat widgets
dixa.comEncryption at rest
Stated via Vanta trust center controls: 'Data encryption utilized'; specific algorithm not publicly disclosed
app.vanta.comAuthentication
Passwordless magic-link login (token expires in 5 minutes); SSO available on Prime/enterprise tier
dixa.comPenetration testing
Annual external penetration tests conducted; reports for 2024 and 2025 available on Vanta trust portal (access-gated)
app.vanta.comBug bounty program
None found. No HackerOne or Bugcrowd program identified on vendor's domain or on either platform's directory.
dixa.comAccess controls
Need-to-know principle; production database authentication enforced; production application access restricted per Vanta controls
app.vanta.comIncident response
Critical and Non-Critical Incident Response Process policies published; 48-hour breach notification to customers per DPA; cybersecurity insurance maintained
app.vanta.comBusiness continuity
BCP and Disaster Recovery Plan established and tested; RTO/RPO schedule for core services published on trust portal
app.vanta.comPayment security
All payment card processing offloaded to Stripe (PCI DSS Level 1). Dixa does not store card data.
dixa.comAI sub-processors
Microsoft Ireland (Azure OpenAI / ChatGPT) for linguistic analytics; Anthropic Ireland for AI model capabilities; ElevenLabs for speech processing; Langfuse for LLM workflow management
dixa.com// Products & data scope
data: Processes customer conversation content, order data, and backend system data to resolve inquiries. Powered by Azure OpenAI and Anthropic via sub-processor agreements. AI is customer-knowledge-base-driven, not a generic LLM fine-tuned on your data.
Resolves routine inquiries (refunds, tracking, order changes) end-to-end. Operates on chat, email, and WhatsApp. Customers should confirm in writing whether conversation data is used for model improvement.
data: Processes live conversation context to generate reply suggestions, drafts, translations, and sentiment data. Same AI sub-processor chain as Mim.
Agent-facing only; includes Auto-QA conversation scoring. Sentiment and QA data retained for analytics.
data: Stores all inbound/outbound conversation content across chat, email, phone, WhatsApp, and social. Full conversation history retained and linked to customer identity.
End-customer data (PII from conversations) is Customer Data under the DPA; Dixa acts as processor.
data: Processes customer metadata (skill tags, language, VIP status, priority) to route conversations. No NLP/AI model required for routing rules.
Configuration is no-code; routing rules are customer-defined.
data: Aggregates conversation data across all channels for analytics, trend detection, and Auto-QA scoring. Conversation content is analyzed by AI models.
Auto-QA scores conversations against customer-defined QA criteria. Output data stored on Dixa platform.
// What to watch
- Privacy policy last updated November 25, 2021 — predates all current AI features (Mim, Co-Pilot). No AI-specific data-use terms visible in public policy.
- No explicit AI training opt-out or prohibition stated for customer conversation data. Azure OpenAI and Anthropic API defaults protect against training, but Dixa's own policy does not reflect this in customer-facing terms.
- No public bug bounty program found (HackerOne or Bugcrowd). Vulnerability disclosure channel is not publicly listed.
- SOC 2 annual reports and pen-test reports require trust portal access request — not immediately downloadable without registration.
// At a glance
Pricing model
Per-agent/month SaaS subscription (annual billing): Growth ~$89, Ultimate ~$139, Prime ~$179. AI features (Mim agent resolution volume) priced as add-on. No free tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Dixa ApS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
app.vanta.com