[ { "vendor": "Microsoft", "product_or_stack": "Microsoft 365 Copilot / Copilot Studio", "category": "Work-AI Platform", "memory_forms": "RET;FLOW;ORCH;DOC-partial;REL-via-Graph", "reifegrad": "4", "primary_fit": "M365 default work context, Microsoft Graph, Copilot activity history, agents", "deployment_public": "SaaS; EU Data Boundary for M365 Copilot; ADR/Multi-Geo; exceptions for Anthropic subprocessors noted", "eu_de_notes": "Strong for existing M365 governance, but high default lock-in risk; Anthropic models out of EU Data Boundary per Microsoft page", "privacy_security_public": "GDPR; EU Data Boundary; no foundation model training on prompts/responses/Graph data; Purview retention/search; Teams Export APIs", "portability_notes": "Exports exist for some activity history, but semantic portability of agent memory/evals/workflows unclear", "mitbestimmung_risk": "high", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy", "open_questions": "Copilot Studio agent traces; export of agent memory; subprocessor details; Betriebsrat implications for user activity history" }, { "vendor": "Google", "product_or_stack": "Google Gemini Enterprise", "category": "Work-AI Platform", "memory_forms": "RET;DOC-partial;FLOW;ORCH;MULTI", "reifegrad": "3", "primary_fit": "Workspace and cross-suite enterprise AI, agents, connectors, NotebookLM Enterprise", "deployment_public": "SaaS; Standard/Plus with data residency, VPC-SC, CMEK, Access Transparency claims", "eu_de_notes": "Interesting if Google Cloud governance is strong; less natural default in M365-heavy DE companies", "privacy_security_public": "Data security and sovereignty features claimed; compliance examples HIPAA/FedRAMP; details edition-dependent", "portability_notes": "Portability of agents, indexed data, traces and memories unclear", "mitbestimmung_risk": "medium-high", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://cloud.google.com/gemini-enterprise", "open_questions": "DPA/subprocessors; exact EU residency; export of agent designer logs; connector data handling" }, { "vendor": "Glean", "product_or_stack": "Glean Work AI Platform", "category": "Work-AI Platform", "memory_forms": "RET;REL;FLOW;ORCH", "reifegrad": "4", "primary_fit": "Enterprise search, Enterprise Graph, Personal Graph, Work AI agents", "deployment_public": "SaaS; single-tenant; customer cloud possible; regions AMER/EMEA/APAC claimed", "eu_de_notes": "Strong platform, strong lock-in potential; relevant where enterprise search is strategic", "privacy_security_public": "SOC/GDPR/HIPAA claims; single-tenant; enforced permissions; zero-retention model provider agreements; sensitive-content policies", "portability_notes": "Portability of Enterprise Graph, Personal Graph, agent traces and feedback unclear", "mitbestimmung_risk": "high", "overall_risk": "medium-high", "claim_status": "primary-source", "source_urls": "https://www.glean.com/; https://www.glean.com/security", "open_questions": "Trust Center details; DPA; subprocessor list; export semantics for graphs and personal context" }, { "vendor": "deepset", "product_or_stack": "Haystack / Haystack Enterprise Platform", "category": "Sovereign AI / RAG / IDP / Agents", "memory_forms": "RET;DOC;ORCH;MULTI;REL-partial;FLOW-partial", "reifegrad": "4", "primary_fit": "Controlled RAG, IDP, agents, Text-to-SQL, open-source foundation", "deployment_public": "Cloud; VPC; on-premise; air-gapped; any environment claims", "eu_de_notes": "Strong DE/EU candidate due sovereignty positioning and deployment flexibility", "privacy_security_public": "SOC 2 Type II; ISO 27001; GDPR; HIPAA; CSA Star Level 1 claimed", "portability_notes": "High potential portability via open-source Haystack and modular architecture, but project-specific", "mitbestimmung_risk": "medium", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://www.deepset.ai/", "open_questions": "Detailed enterprise DPA/subprocessors; export of platform configs/evals/traces; concrete EU hosting commitments" }, { "vendor": "Langfuse", "product_or_stack": "Langfuse", "category": "LLM Observability / Evals", "memory_forms": "FLOW", "reifegrad": "4", "primary_fit": "Tracing, prompt management, evaluation, metrics, audit, retention/masking/deletion", "deployment_public": "Cloud US/EU/JP; self-hosted OSS; self-hosted enterprise; air-gapped", "eu_de_notes": "Very strong DE/EU control layer, especially self-hosted or EU region", "privacy_security_public": "SOC 2 Type II; ISO 27001; GDPR; DPA; EU region eu-west-1; data retention/masking/deletion", "portability_notes": "Good due OSS/self-hosting; trace/eval export still needs technical validation", "mitbestimmung_risk": "high if personenbezogene traces", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://langfuse.com/security", "open_questions": "Exact export formats; enterprise audit logs; Betriebsrat template for traces and feedback" }, { "vendor": "LangChain", "product_or_stack": "LangSmith", "category": "LLM Observability / Evals / Agent Platform", "memory_forms": "FLOW;ORCH", "reifegrad": "3", "primary_fit": "Agent tracing, evals, monitoring, deployment, SmithDB", "deployment_public": "Cloud stores at GCP us-central-1; Enterprise BYOC/self-host possible", "eu_de_notes": "Powerful but DE/EU depends heavily on BYOC/self-hosting; US cloud otherwise sensitive", "privacy_security_public": "HIPAA; SOC 2 Type 2; GDPR claimed; Trust Center referenced", "portability_notes": "Self-host/BYOC improves control; portability of traces/evals needs review", "mitbestimmung_risk": "high if cloud with personenbezogene traces", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://www.langchain.com/langsmith/observability; https://docs.langchain.com/langsmith/home", "open_questions": "EU region availability; DPA; subprocessor; export formats; self-host contractual model" }, { "vendor": "Elastic", "product_or_stack": "Elasticsearch / Elastic AI", "category": "Search / Observability / Context Engineering", "memory_forms": "RET;FLOW;ORCH-partial;MULTI-partial", "reifegrad": "4", "primary_fit": "Open search, hybrid retrieval, logs, workflows, model-agnostic AI stack", "deployment_public": "Cloud; self-managed; on-premise; air-gapped claims in security material", "eu_de_notes": "Strong infrastructure candidate where existing Elastic skills exist; not a complete memory solution", "privacy_security_public": "Security/compliance not fully captured in this pass; open/self-managed architecture relevant", "portability_notes": "Strong data ownership if self-managed; product-specific agent artifacts need review", "mitbestimmung_risk": "medium", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://www.elastic.co/security", "open_questions": "Exact licensing; cloud region; agent builder data; export of workflows and traces" }, { "vendor": "Weaviate", "product_or_stack": "Weaviate Cloud / Weaviate Agents", "category": "Vector DB / Hybrid Search", "memory_forms": "RET;ORCH-partial", "reifegrad": "3", "primary_fit": "Vector/hybrid search, RAG, agentic AI, dedicated cloud/BYOC", "deployment_public": "Shared/dedicated cloud; own VPC; deployment options", "eu_de_notes": "EU-based vendor; good retrieval building block, not full memory", "privacy_security_public": "SOC 2; HIPAA; privacy; encryption; RBAC; multi-tenancy; backups claimed", "portability_notes": "Index/data export and schema portability need technical validation", "mitbestimmung_risk": "medium", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://weaviate.io/security", "open_questions": "DPA/subprocessors; EU region; agent products maturity; export semantics" }, { "vendor": "Pinecone", "product_or_stack": "Pinecone Vector Database", "category": "Vector DB", "memory_forms": "RET", "reifegrad": "3", "primary_fit": "Vector database for RAG and semantic retrieval", "deployment_public": "SaaS; private endpoints; CMEK; RBAC; SSO", "eu_de_notes": "Strong vector component; US vendor; not full memory", "privacy_security_public": "SOC 2 Type II; HIPAA; GDPR-ready; encryption; audit logs", "portability_notes": "Portability of embeddings/index metadata must be designed by customer", "mitbestimmung_risk": "medium", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://www.pinecone.io/security/", "open_questions": "EU region specifics; DPA/subprocessors; export/rebuild process for indexes" }, { "vendor": "Qdrant", "product_or_stack": "Qdrant Vector Database", "category": "Vector DB", "memory_forms": "RET", "reifegrad": "3", "primary_fit": "Vector database, RAG, recommendation, agentic use cases", "deployment_public": "Managed Cloud; Hybrid Cloud with data plane in customer infrastructure; Private Cloud air-gapped; self-hosted OSS/enterprise patterns", "eu_de_notes": "Strong control story for Hybrid/Private Cloud because customer controls infrastructure and storage; Managed Cloud still needs region/subprocessor review", "privacy_security_public": "SOC 2 Type 2 and HIPAA stated; Trust Center; encryption at rest/in transit; RBAC; SSO for Premium; DPA offered for GDPR customers; API keys not stored in plaintext; SBOM and signed images for Hybrid/Private Cloud", "portability_notes": "Better than many SaaS-only vector stores if self-hosted or private cloud; export/rebuild of collections, payloads and vectors still project-owned validation", "mitbestimmung_risk": "medium", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://qdrant.tech/documentation/cloud-security/", "open_questions": "Managed Cloud EU regions and subprocessors; concrete DPA terms; collection export/rebuild procedure; inference feature data handling" }, { "vendor": "Neo4j", "product_or_stack": "Neo4j Graph Database / Aura Agent", "category": "Knowledge Graph", "memory_forms": "REL;RET-via-GraphRAG;ORCH-partial", "reifegrad": "4", "primary_fit": "Knowledge graphs, graph database, GraphRAG, relationships", "deployment_public": "Aura cloud; self-managed deploy anywhere; integrations", "eu_de_notes": "Strong for relationship memory; good candidate if graph is explicit asset", "privacy_security_public": "Security team; Trust Center; subprocessor list referenced; details not fully fetched", "portability_notes": "Graph export possible in principle, but app semantics and Aura Agent artifacts need review", "mitbestimmung_risk": "medium", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://neo4j.com/security/", "open_questions": "Aura regions; DPA/subprocessors; Aura Agent logs/export; EU deployment specifics" }, { "vendor": "Graphwise", "product_or_stack": "Ontotext GraphDB", "category": "Knowledge Graph / Semantic AI", "memory_forms": "REL;RET;DOC-partial", "reifegrad": "4", "primary_fit": "RDF/SPARQL knowledge graph, semantic metadata, GraphRAG, MCP support", "deployment_public": "AWS/Azure/GCP/on-premise claimed", "eu_de_notes": "Very strong for explicit semantics and standards, good DE/EU fit to investigate", "privacy_security_public": "Security details not fully assessed; W3C standards reduce semantic lock-in", "portability_notes": "Strong standards portability if modeled well; implementation complexity high", "mitbestimmung_risk": "medium", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://www.ontotext.com/products/graphdb/", "open_questions": "Contract/security docs; EU hosting; DPA/subprocessors; managed-service terms" }, { "vendor": "Graphwise", "product_or_stack": "PoolParty Semantic Suite", "category": "Semantic AI / Taxonomy / Knowledge Graph", "memory_forms": "REL;DOC;RET", "reifegrad": "4", "primary_fit": "Taxonomies, ontologies, semantic search, GraphRAG, SharePoint integration", "deployment_public": "Enterprise semantic platform; deployment details pending", "eu_de_notes": "Strong DE/EU candidate; EU company; ISO 27001/27701 claims", "privacy_security_public": "ISO/IEC 27001:2022 and ISO/IEC 27701:2019; Keycloak; EU-based", "portability_notes": "Good semantic portability if taxonomies/ontologies owned by customer", "mitbestimmung_risk": "medium", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://www.poolparty.biz/", "open_questions": "Deployment models; DPA; subprocessor; export of taxonomies/ontologies/config" }, { "vendor": "Unstructured", "product_or_stack": "Unstructured Data Platform", "category": "Document Processing / IDP", "memory_forms": "DOC;RET-support", "reifegrad": "3", "primary_fit": "Parse, chunk, embed, enrich, ETL for unstructured files", "deployment_public": "SaaS/API/UI data platform; product pages mention built-in security/compliance and RBAC; deployment/private options not verified", "eu_de_notes": "Useful document pipeline, but public security URL returned 404; not enough for low-risk DE/EU claim", "privacy_security_public": "Homepage/product pages claim security and compliance built in and role-based access; Trust Portal mentioned in first pass, but security page fetch returned 404", "portability_notes": "Structured outputs/pipelines are the portability object; exact export formats, connector state and enrichment artifacts need validation", "mitbestimmung_risk": "medium", "overall_risk": "medium-high", "claim_status": "vendor-claim", "source_urls": "https://unstructured.io/; https://unstructured.io/product; https://unstructured.io/security", "open_questions": "Trust Portal; DPA; EU region; subprocessors; retention; self-host/private deployment; export formats; connector state portability" }, { "vendor": "LlamaIndex", "product_or_stack": "LlamaParse / LlamaIndex", "category": "Document Agents / Framework", "memory_forms": "DOC;RET;ORCH-partial", "reifegrad": "3", "primary_fit": "Document parsing, extraction, indexing, workflows, developer framework", "deployment_public": "LlamaParse SaaS; VPC deployment claimed; LiteParse and LlamaIndex OSS for local/framework use", "eu_de_notes": "Functionally strong document-agent layer; public security/legal evidence is thinner than enterprise positioning, so not a low-risk DE/EU default", "privacy_security_public": "Homepage claims granular access controls, enhanced encryption, HIPAA, GDPR and SOC2; footer exposes Trust Center, Privacy Notice, Terms and DPA links, but direct DPA/privacy/security fetch returned 404 in this pass", "portability_notes": "OSS framework improves architecture portability; SaaS parsing outputs and retention/data handling must be verified before sensitive documents", "mitbestimmung_risk": "medium", "overall_risk": "medium-high", "claim_status": "vendor-claim", "source_urls": "https://www.llamaindex.ai/; https://www.llamaindex.ai/llamacloud; https://www.llamaindex.ai/data-processing-addendum", "open_questions": "Correct Trust Center/DPA/Privacy URLs; retention; EU region; subprocessors; VPC terms; export of parse/extract/index artifacts" }, { "vendor": "Zep", "product_or_stack": "Zep / Graphiti", "category": "Agent Memory / Temporal Graph", "memory_forms": "FLOW;REL;RET", "reifegrad": "2", "primary_fit": "Agent memory, temporal knowledge graph, context engineering, facts/entities/episodes", "deployment_public": "SaaS/docs; Graphiti open source; deployment details pending", "eu_de_notes": "Conceptually central for agent memory, but public enterprise security and regional evidence were not found in this pass; use as emerging layer, not as low-risk enterprise recommendation", "privacy_security_public": "Docs describe context graphs, user graphs, threads, facts, entities, episodes, fact invalidation and Graphiti OSS; no public security/DPA/EU-region evidence captured", "portability_notes": "Graphiti OSS and explicit graph primitives are promising; hosted Zep export semantics and deletion controls need validation", "mitbestimmung_risk": "high if user-specific memory", "overall_risk": "medium-high", "claim_status": "primary-source", "source_urls": "https://help.getzep.com/; https://help.getzep.com/llms-full.txt", "open_questions": "Security, DPA, EU region, self-hosting, deletion of user-specific memories, export semantics, subprocessors" }, { "vendor": "Mem0", "product_or_stack": "Mem0", "category": "Agent Memory", "memory_forms": "FLOW;REL-partial", "reifegrad": "2", "primary_fit": "Persistent memory infrastructure for agents, memory compression, audit logs", "deployment_public": "SaaS; Enterprise pricing lists on-prem deployment, audit logs, custom integrations and SSO; homepage claims Kubernetes, private cloud and air-gapped", "eu_de_notes": "Relevant memory layer, but Trust Center was blocked by Vercel 429 and privacy URL returned 404; do not present as fully verified for DE/EU", "privacy_security_public": "Homepage claims SOC 2 Type 1, HIPAA, BYOK, zero-trust, governance, audit logs; Enterprise pricing lists audit logs and SSO", "portability_notes": "Same API across Kubernetes/private cloud/air-gapped is claimed; actual memory export format and semantic portability unverified", "mitbestimmung_risk": "high if personenbezogene memory", "overall_risk": "medium-high", "claim_status": "trust-center-gated", "source_urls": "https://mem0.ai/; https://mem0.ai/pricing; https://trust.mem0.ai/; https://mem0.ai/privacy", "open_questions": "Trust Center access; privacy policy URL; DPA; EU region; subprocessors; SOC2 Type2; memory export/deletion; personenbezogene memories" }, { "vendor": "Letta", "product_or_stack": "Letta / Letta Code", "category": "Memory-first agents", "memory_forms": "FLOW;ORCH", "reifegrad": "1", "primary_fit": "Persistent agents, continual learning, model-portable memory, git-based context repositories", "deployment_public": "Local/remote agent; deployment details pending", "eu_de_notes": "Technically important emerging memory-first agent concept; public enterprise compliance evidence not found; should be framed as frontier signal, not procurement candidate", "privacy_security_public": "Public site covers memory-first agents, portability across models, local/remote/device claims, git-based context repositories; no enterprise security/DPA/region evidence captured", "portability_notes": "Model-portable memories and git-based context repositories are promising, but enterprise export/audit semantics are unverified", "mitbestimmung_risk": "high if deployed broadly", "overall_risk": "unknown", "claim_status": "primary-source", "source_urls": "https://www.letta.com/", "open_questions": "Enterprise security, DPA, data flow, hosting, audit, export, deletion, customer-controlled deployment" }, { "vendor": "Braintrust", "product_or_stack": "Braintrust", "category": "LLM Observability / Evals", "memory_forms": "FLOW", "reifegrad": "3", "primary_fit": "Tracing, evals, prompts, scorers, human review, datasets, exports", "deployment_public": "SaaS; self-hosted data plane on AWS/GCP/Azure with Braintrust-managed control plane", "eu_de_notes": "Strong option where traces/evals must remain in customer cloud/region; control plane metadata and telemetry still require review", "privacy_security_public": "Self-hosting docs separate sensitive AI data in customer-controlled data plane; data plane stores experiment records, logs, traces, spans, datasets, prompt completions, human review scores and provider secrets; control plane stores metadata/login/org info; telemetry can be sent back for health/billing/support", "portability_notes": "Docs include exports, datasets, API/SDK/CLI and self-hosted data plane; exact export formats still need technical validation", "mitbestimmung_risk": "high if personenbezogene traces", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://www.braintrust.dev/docs; https://www.braintrust.dev/docs/admin/self-hosting", "open_questions": "DPA/subprocessor/public security reports; EU fully hosted region; telemetry defaults; export formats; remote access procedures" }, { "vendor": "Arize", "product_or_stack": "Arize Phoenix / AX", "category": "LLM Observability / Evals", "memory_forms": "FLOW", "reifegrad": "3", "primary_fit": "Phoenix OSS, evals, observability, AI agent reliability", "deployment_public": "Phoenix OSS; self-hosting with Docker/Kubernetes/AWS CloudFormation; Phoenix Cloud; Arize AX platform", "eu_de_notes": "Phoenix OSS/self-hosting is a strong control pattern for DE/EU traces; Arize AX/Phoenix Cloud enterprise terms still need trust/legal review", "privacy_security_public": "Phoenix docs expose self-hosting, RBAC, API keys, secrets, data retention and security/privacy/network security sections; cloud/security claims not deeply fetched", "portability_notes": "OSS/OpenInference/OpenTelemetry orientation improves control; cloud export and enterprise retention need validation", "mitbestimmung_risk": "high if personenbezogene traces", "overall_risk": "low-medium for self-hosted Phoenix; medium for cloud", "claim_status": "primary-source", "source_urls": "https://arize.com/phoenix/; https://arize.com/docs/phoenix; https://arize.com/docs/phoenix/self-hosting; https://arize.com/docs/phoenix/settings/data-retention; https://arize.com/docs/phoenix/settings/access-control-rbac", "open_questions": "Arize AX Trust/Security/DPA; EU region; subprocessors; cloud retention; enterprise support terms" }, { "vendor": "Galileo", "product_or_stack": "Galileo", "category": "LLM Observability / Evals", "memory_forms": "FLOW", "reifegrad": "2", "primary_fit": "AI observability, evals, agent reliability, Protect", "deployment_public": "SaaS likely; details pending", "eu_de_notes": "Functionally relevant observability/evals layer; public docs showed security navigation but detailed security pages returned 404 in this pass", "privacy_security_public": "Docs cover tracing, sessions, multimodal observability, distributed tracing, OpenTelemetry, evals, runtime protection, annotations, projects, access control and SSO in navigation; security details not publicly verified", "portability_notes": "Unknown", "mitbestimmung_risk": "high if personenbezogene traces", "overall_risk": "medium-high", "claim_status": "docs-claim", "source_urls": "https://docs.galileo.ai/what-is-galileo; https://docs.galileo.ai/security/access-control; https://docs.galileo.ai/security/sso-integration", "open_questions": "Correct security docs; DPA; EU region; subprocessors; self-host/BYOC; export; retention; access-control docs fetchable URL" }, { "vendor": "Anthropic", "product_or_stack": "Managed Agents / Memory / Dreams", "category": "Agent Runtime / Memory", "memory_forms": "FLOW;ORCH", "reifegrad": "2", "primary_fit": "Managed agents, memory stores, dreams, evals, traces", "deployment_public": "SaaS/API; details depend product availability", "eu_de_notes": "High strategic relevance, but vendor-controlled memory/orchestration is the risk case", "privacy_security_public": "Security/privacy to assess via Anthropic docs; Microsoft notes Anthropic subprocessor out of EU Data Boundary in Copilot context", "portability_notes": "Memory stores/evals/traces portability unclear", "mitbestimmung_risk": "high", "overall_risk": "medium-high", "claim_status": "vendor-claim", "source_urls": "https://claude.com/blog/claude-managed-agents; https://platform.claude.com/docs/en/managed-agents/dreams; https://www.anthropic.com/engineering/demystifying-evals-for-ai-agents", "open_questions": "Enterprise availability; DPA; EU processing; memory export; eval portability; subprocessor" }, { "vendor": "Azure", "product_or_stack": "Azure AI Document Intelligence", "category": "Cloud Document AI", "memory_forms": "DOC;MULTI-partial", "reifegrad": "3", "primary_fit": "Document extraction, OCR, structured document AI", "deployment_public": "Azure cloud; region-dependent", "eu_de_notes": "Relevant for document structure in Microsoft/Azure shops", "privacy_security_public": "Needs source pass", "portability_notes": "Export structured outputs likely; pipeline ownership customer-dependent", "mitbestimmung_risk": "medium", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://learn.microsoft.com/en-us/azure/ai-services/document-intelligence/overview", "open_questions": "Fetch product/security docs, data residency, DPA, model training, retention" }, { "vendor": "Google", "product_or_stack": "Google Document AI", "category": "Cloud Document AI", "memory_forms": "DOC;MULTI-partial", "reifegrad": "3", "primary_fit": "Document extraction and parsing", "deployment_public": "Google Cloud; region-dependent", "eu_de_notes": "Relevant if Google Cloud already governed", "privacy_security_public": "Needs source pass", "portability_notes": "Pipeline outputs exportable, model/data handling to verify", "mitbestimmung_risk": "medium", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://cloud.google.com/document-ai/docs/overview", "open_questions": "Fetch product/security docs, data residency, DPA, training, retention" }, { "vendor": "AWS", "product_or_stack": "AWS Textract / Bedrock Knowledge Bases", "category": "Cloud Document AI / RAG", "memory_forms": "DOC;RET;MULTI-partial", "reifegrad": "3", "primary_fit": "Document extraction, managed RAG in AWS ecosystem", "deployment_public": "AWS cloud; region-dependent", "eu_de_notes": "Relevant for AWS-heavy firms and regulated workloads", "privacy_security_public": "Needs source pass", "portability_notes": "Customer controls depend architecture; managed service lock-in possible", "mitbestimmung_risk": "medium", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://aws.amazon.com/textract/; https://aws.amazon.com/bedrock/knowledge-bases/", "open_questions": "Fetch product/security docs, data residency, DPA, training, retention" }, { "vendor": "Salesforce", "product_or_stack": "Agentforce", "category": "Work-AI / CRM Agent Platform", "memory_forms": "REL;FLOW;ORCH;RET-partial", "reifegrad": "4", "primary_fit": "CRM-centered autonomous agents, Salesforce data/process context, Slack and Customer 360 ecosystem", "deployment_public": "Salesforce SaaS; ecosystem/platform deployment details contract-dependent", "eu_de_notes": "Must be in scope for any enterprise vendor radar because Salesforce owns critical customer/process context; DE/EU readiness depends on Salesforce contractual setup, Hyperforce/data residency and subprocessors", "privacy_security_public": "Product page covers build/deploy/manage agents at scale and integration with Salesforce ecosystem; security/privacy details not deeply fetched in this pass", "portability_notes": "High business-process lock-in risk if agent logic, feedback and CRM context remain inside Salesforce ecosystem", "mitbestimmung_risk": "high if agents affect sales/service performance or employee workflows", "overall_risk": "medium-high", "claim_status": "primary-source", "source_urls": "https://www.salesforce.com/agentforce/", "open_questions": "Trust/DPA/subprocessors; EU data residency; Agentforce traces; agent export; Data 360 semantics; Slack interaction data" }, { "vendor": "ServiceNow", "product_or_stack": "ServiceNow AI Agents", "category": "Work-AI / Workflow Platform", "memory_forms": "FLOW;ORCH;REL;RET-partial", "reifegrad": "4", "primary_fit": "Workflow automation, IT/HR/CRM/service operations, AI Control Tower and process context", "deployment_public": "ServiceNow SaaS platform; deployment and region details contract-dependent", "eu_de_notes": "Important enterprise workflow layer; high relevance where ServiceNow is the system of work for IT/HR/service. Treat as process-memory platform, not just AI feature", "privacy_security_public": "Product page states AI/data/workflows on one platform, AI agents assigned to roles with business context and permissions; Responsible AI and security platform references; detailed trust/legal not fetched", "portability_notes": "Process and workflow context can become deep platform dependency; export of agent configs/traces/control tower data needs validation", "mitbestimmung_risk": "high if workflows, employee service, IT performance or process mining are involved", "overall_risk": "medium-high", "claim_status": "primary-source", "source_urls": "https://www.servicenow.com/products/ai-agents.html", "open_questions": "Trust/DPA/subprocessors; EU region; AI Control Tower data model; agent trace export; process mining personenbezogene Daten" }, { "vendor": "Atlassian", "product_or_stack": "Rovo", "category": "Work-AI / Teamwork Platform", "memory_forms": "RET;REL;FLOW;ORCH", "reifegrad": "4", "primary_fit": "Teamwork Graph, enterprise search, chat, agents, Jira/Confluence/Loom context and connected SaaS apps", "deployment_public": "Atlassian Cloud; Data Center connectors sync to cloud for AI features", "eu_de_notes": "Strong collaboration-memory candidate in Atlassian-heavy organizations; cloud dependency and graph/context portability are key risks", "privacy_security_public": "Rovo page states admin controls, AI deactivation, SOC 2 and ISO 27001 assessment/certifications, restrictive LLM provider policies and subprocessor page reference", "portability_notes": "Teamwork Graph and connected context are likely hard to migrate semantically; export of agents/search graph/traces unclear", "mitbestimmung_risk": "high if agent actions, productivity flows or collaboration analytics touch employees", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://www.atlassian.com/software/rovo", "open_questions": "AI subprocessor details; EU data residency; graph export; Rovo agent logs; connector data handling; retention" }, { "vendor": "SAP", "product_or_stack": "Joule / Joule Agents / SAP Business AI Platform", "category": "Work-AI / ERP Process Platform", "memory_forms": "REL;FLOW;ORCH;RET;DOC-partial", "reifegrad": "4", "primary_fit": "SAP process context, SAP Knowledge Graph, Business Data Cloud, Joule assistants/agents across business functions", "deployment_public": "SAP cloud portfolio; SAP tenancy model; details product/contract-dependent", "eu_de_notes": "Central for SAP-heavy enterprises because process memory sits near ERP/HCM/procurement/finance; useful in article because it proves the thesis from inside SAP, not outside", "privacy_security_public": "SAP page states GDPR compliance, tenant-level data isolation, no customer data stored within Joule, data masking/pseudonymization, SAP global data protection policy", "portability_notes": "High semantic lock-in risk if process context, SAP Knowledge Graph grounding and agent workflows remain SAP-internal", "mitbestimmung_risk": "high in HR, finance, procurement and workflow automation contexts", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://www.sap.com/products/artificial-intelligence.html", "open_questions": "DPA/subprocessors; exact Joule data retention; agent trace export; SAP Knowledge Graph portability; non-SAP connector handling" }, { "vendor": "Workday", "product_or_stack": "Workday AI / Sana / Agents / Agent System of Record", "category": "Work-AI / HCM-Finance Platform", "memory_forms": "REL;FLOW;ORCH;RET-partial", "reifegrad": "3", "primary_fit": "HCM, finance and work graph/agent system in Workday context", "deployment_public": "Workday SaaS; AI pages mention Sana, Agent System of Record and Agents; contractual details required", "eu_de_notes": "Potentially high DE/EU relevance because HCM/employee data is sensitive; must be treated as high-governance workflow memory", "privacy_security_public": "Public AI page fetched; detailed trust/legal/security claims not extracted in this pass", "portability_notes": "High lock-in risk where employee, finance and agent-system records sit in Workday", "mitbestimmung_risk": "high due HCM/employee-work context", "overall_risk": "medium-high", "claim_status": "primary-source", "source_urls": "https://www.workday.com/en-us/artificial-intelligence.html", "open_questions": "Trust/DPA/subprocessors; EU residency; Agent System of Record export; employee data traces; retention; works council implications" }, { "vendor": "Notion", "product_or_stack": "Notion AI / Agents / Enterprise Search", "category": "Work-AI / Knowledge Workspace", "memory_forms": "RET;FLOW;ORCH;DOC-partial", "reifegrad": "3", "primary_fit": "Workspace-native AI, enterprise search, custom agents, meeting notes, connected apps", "deployment_public": "Notion SaaS; Business/Enterprise features; connected apps and web context depending configuration", "eu_de_notes": "Relevant for knowledge-work teams but less core-enterprise than M365/Google/Atlassian; treat as workspace memory with connector and retention risk", "privacy_security_public": "Product page states no training on customer data via AI subprocessors, SOC 2 Type 2, ISO 27001, GDPR/CCPA mapped privacy program, TLS encryption, zero data retention with LLM providers for Enterprise and 30 days for non-Enterprise, HIPAA for Enterprise", "portability_notes": "Notion pages/databases export separately from AI agents, custom agents, search index and meeting memory; semantic portability unclear", "mitbestimmung_risk": "medium-high if meeting notes, agents and search expose employee work patterns", "overall_risk": "medium", "claim_status": "primary-source", "source_urls": "https://www.notion.com/product/ai", "open_questions": "AI subprocessor list; EU residency; custom agent export; meeting transcript retention; enterprise search index portability" }, { "vendor": "Mistral AI", "product_or_stack": "Mistral AI Studio", "category": "AI Production Platform / Agent Runtime", "memory_forms": "FLOW;ORCH;RET;REL-partial", "reifegrad": "3", "primary_fit": "Agent runtime, observability, AI registry, evals, datasets, workflow telemetry, deployable AI production platform", "deployment_public": "Mistral Cloud; dedicated environments; self-hosted; cloud providers; on-prem/edge/virtual cloud deployment claims", "eu_de_notes": "Strong DE/EU candidate to watch because deployable-anywhere, self-hosting and European vendor context align with sovereignty needs; still needs trust/legal review", "privacy_security_public": "Product page states privacy by design, full data ownership, state/telemetry control, self-hosting, dedicated environments, data governance, auditability and DPA link in footer", "portability_notes": "Page explicitly claims exportable artifacts and unified registry/version control; technical validation still needed", "mitbestimmung_risk": "high if traces/workflow telemetry contain personenbezogene work data", "overall_risk": "low-medium", "claim_status": "primary-source", "source_urls": "https://mistral.ai/products/studio", "open_questions": "DPA/subprocessors; enterprise security certifications; EU/on-prem terms; export formats; trace retention; audit log access" } ]