// Trust & Security Report

    Dixa ApS logo

    Dixa ApS

    Agentic Customer Service Platform

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II is an extensive auditing process that requires organizations to follow rigorous policies regarding the secure handling of their clients' data consistently over time. While Type I is a point-in-time audit, the Type II report continuously evaluates and verifies an organization's compliance with the AICPA's Trust Services Criteria over an extended period.

    Verify on dixa.com
    SOC 2 Type II (2024, 2025, 2026 annual reports)
    HELD

    Reports visible in Vanta trust portal: SOC 2 Type II 2024, SOC 2 Type II 2025, SOC 2 Type II 2026

    Verify on app.vanta.com
    GDPR (DPA available)
    HELD

    Dixa ensures that the main storage of Customer Personal Data is located in the European Union. As part of the Agreement, Dixa requires the Customer to enter into a Data Processing Agreement.

    Verify on dixa.com
    > Show 3 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No direct claim of ISO 27001 certification found on vendor's own domain. DPA references ISO 27701 and ISAE 3000 DK-GDPR as acceptable audit evidence from third parties, but Dixa does not itself claim ISO 27001.

    source: dixa.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA on any legal or security page reviewed.

    source: dixa.com
    PCI DSS
    NOT CONFIRMED

    Stripe handles our payments and credit card data. Stripe is a level 1 PCI Service Provider, which is the highest level of certification for payment services. Dixa itself does not store or process payment card data.

    source: dixa.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    EU (primary: AWS Ireland / eu-west-1; daily backup in a second EU physical location)

    No explicit policy statement found regarding whether customer conversation data is used to train AI models. The privacy policy (last updated Nov 25, 2021, predating all current AI features) contains a broad 'Development' clause: 'Information is used to analyze usage trends and preferences... to develop new products, services, feature, and functionality.' Dixa routes AI processing through Azure OpenAI (Microsoft) and Anthropic as sub-processors; enterprise tiers of both providers do not train on customer data by default, but Dixa's own contract terms with end customers do not explicitly state this protection. Customers should request confirmation via the Dixa AI Product and Security Questionnaire available on the trust portal.

    // Security controls

    Data hosting

    AWS EMEA SARL (Luxembourg entity); primary storage in Ireland (eu-west-1); daily backup to a second EU physical location

    dixa.com

    Encryption in transit

    HTTPS/TLS (SSL certificates) for all browser-to-platform communication; also applied to end-customer chat widgets

    dixa.com

    Encryption at rest

    Stated via Vanta trust center controls: 'Data encryption utilized'; specific algorithm not publicly disclosed

    app.vanta.com

    Authentication

    Passwordless magic-link login (token expires in 5 minutes); SSO available on Prime/enterprise tier

    dixa.com

    Penetration testing

    Annual external penetration tests conducted; reports for 2024 and 2025 available on Vanta trust portal (access-gated)

    app.vanta.com

    Bug bounty program

    None found. No HackerOne or Bugcrowd program identified on vendor's domain or on either platform's directory.

    dixa.com

    Access controls

    Need-to-know principle; production database authentication enforced; production application access restricted per Vanta controls

    app.vanta.com

    Incident response

    Critical and Non-Critical Incident Response Process policies published; 48-hour breach notification to customers per DPA; cybersecurity insurance maintained

    app.vanta.com

    Business continuity

    BCP and Disaster Recovery Plan established and tested; RTO/RPO schedule for core services published on trust portal

    app.vanta.com

    Payment security

    All payment card processing offloaded to Stripe (PCI DSS Level 1). Dixa does not store card data.

    dixa.com

    AI sub-processors

    Microsoft Ireland (Azure OpenAI / ChatGPT) for linguistic analytics; Anthropic Ireland for AI model capabilities; ElevenLabs for speech processing; Langfuse for LLM workflow management

    dixa.com

    // Products & data scope

    Mim AI AgentAgentic AI / Autonomous Customer Service

    data: Processes customer conversation content, order data, and backend system data to resolve inquiries. Powered by Azure OpenAI and Anthropic via sub-processor agreements. AI is customer-knowledge-base-driven, not a generic LLM fine-tuned on your data.

    Resolves routine inquiries (refunds, tracking, order changes) end-to-end. Operates on chat, email, and WhatsApp. Customers should confirm in writing whether conversation data is used for model improvement.

    AI Co-PilotAI-Augmented Agent Workspace

    data: Processes live conversation context to generate reply suggestions, drafts, translations, and sentiment data. Same AI sub-processor chain as Mim.

    Agent-facing only; includes Auto-QA conversation scoring. Sentiment and QA data retained for analytics.

    Dixa Channels (Unified Inbox)Omnichannel Customer Service

    data: Stores all inbound/outbound conversation content across chat, email, phone, WhatsApp, and social. Full conversation history retained and linked to customer identity.

    End-customer data (PII from conversations) is Customer Data under the DPA; Dixa acts as processor.

    Dixa Conversation EngineWorkflow Automation / Intelligent Routing

    data: Processes customer metadata (skill tags, language, VIP status, priority) to route conversations. No NLP/AI model required for routing rules.

    Configuration is no-code; routing rules are customer-defined.

    Dixa DiscoverAnalytics and Quality Assurance

    data: Aggregates conversation data across all channels for analytics, trend detection, and Auto-QA scoring. Conversation content is analyzed by AI models.

    Auto-QA scores conversations against customer-defined QA criteria. Output data stored on Dixa platform.

    // What to watch

    • Privacy policy last updated November 25, 2021 — predates all current AI features (Mim, Co-Pilot). No AI-specific data-use terms visible in public policy.
    • No explicit AI training opt-out or prohibition stated for customer conversation data. Azure OpenAI and Anthropic API defaults protect against training, but Dixa's own policy does not reflect this in customer-facing terms.
    • No public bug bounty program found (HackerOne or Bugcrowd). Vulnerability disclosure channel is not publicly listed.
    • SOC 2 annual reports and pen-test reports require trust portal access request — not immediately downloadable without registration.

    // At a glance

    Pricing model

    Per-agent/month SaaS subscription (annual billing): Growth ~$89, Ultimate ~$139, Prime ~$179. AI features (Mim agent resolution volume) priced as add-on. No free tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Dixa ApS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    app.vanta.com

    > Browse all vendor trust reports