Gini Photo Payment: Data Security and AI at the Highest Level

Data security often sounds like a dry topic with lots of details that hardly anyone knows about. For most people, the only thing that matters is: Is my data secure or not? To ensure this, we go the extra mile: Our processes are audited and certified according to internationally recognized standards. We transparently show what we are doing in terms of infrastructure, certifications, and AI to be a role model at all times and set new standards. This gives you the certainty that data protection is a reality for us.

Server location in Germany – consistent and traceable

Gini operates its infrastructure and AI services exclusively on servers in certified data centers in Germany. All relevant processing steps – from uploading and semantic analysis to extracting relevant data – remain localized in compliance with strict German data protection standards. This systematically prevents data flows to third countries and ensures that sensitive content is always controlled.

This significantly differs from many companies that rely on international cloud services or external providers. In such cases, it is often no longer transparent in which legal jurisdiction the data is processed, and whether authorities outside Europe could gain access to it.
With our approach, we ensure:

• Legal certainty through the exclusive application of the GDPR and German data protection law.
• Traceability for partners who need to document their compliance requirements in full.
• Reliability for end users who want to know that their data is not being copied or processed elsewhere.

The result is an environment that is not only technically secure but also meets the regulatory requirements of banks, insurance companies, and other financial service providers.

Certified processes: ISO 27001 & BSI C5

ISO/IEC 27001: Systematic information security management

ISO 27001 is the globally recognized standard for information security management. It ensures that a company systematically identifies, controls, and regularly reviews risks. In concrete terms, our security processes are not random, but organized according to fixed rules and audited externally.
ISO/IEC 27001 is an internationally recognized information security management system (ISMS) standard. This includes, for example:
Formulated security guidelines and role assignments.

• Risk management processes for identifying and dealing with threats.
• Technical and organizational measures (e.g., encryption, access controls).
• Internal audits and management reviews to ensure ongoing effectiveness.
• Continuous improvement based on recorded security incidents and changes in the environment.

ISO 27001 certification, therefore, means not only selective documentation and control but also a system in place that addresses security risks in a structured manner and is regularly audited by independent, external experts. This creates trust among customers, partners, and regulated institutions in particular. It is clear at all times that security processes are not only implemented but also maintained and improved.

BSI C5: The cloud-specific testing standard with additional depth

The Cloud Computing Compliance Criteria Catalogue (C5) – now further developed as C5:2020 – is a testing and verification methodology tailored to cloud services, initiated by the German Federal Office for Information Security (BSI). It defines minimum requirements for secure cloud use, but encompasses not only generic management processes, but also precisely formulated operationalized security controls for cloud providers, including topics such as:

• Security organization and access control in the cloud context
• Operational security and incident management
• Encryption and data isolation
• Product and system integrity
• Requirements for the continuous effectiveness of measures (especially for Type 2 audits)

Important: C5 includes the ISO/IEC 27001 basic criteria as a subset, but supplements them with specifically formulated requirements for cloud services. While ISO 27001 applies across all industries, C5 defines security measures specifically from a cloud provider’s perspective—for example, regarding client separation, data localization, or administrative access in the cloud.

Why the combination of ISO 27001 and BSI C5 is particularly valuable at Gini

1. Systemic security framework plus cloud-specific operationalization: ISO 27001 creates the management system—in other words, the “how” of security control. BSI C5 ensures that, especially in the case of cloud services, the technical implementation in daily operations is also stringent, traceable, and verified. This is not a problem for many providers, of course.
2. Continuous effectiveness: Both ISO 27001 and C5 require that security controls function permanently and are regularly reviewed. The difference is that C5 tailors these requirements specifically to cloud operations and provides additional evidence of implementation in everyday life – especially in C5 Type 2 audits, which document ongoing operations over a longer period of time.
3. Trust among sensitive partners: Banks, insurers, and institutions with regulatory requirements in particular expect verifiable, audited security measures. Combining an established management system (ISO 27001) and special cloud auditing (C5) provides a double, complementary basis of trust.
4. Transparency and traceability: Both standards require documentation, roles, responsibilities, and regular reviews. This reveals how risks are handled, rather than security remaining a black box.

AI made in Germany

Our AI is continuously learning, exclusively in German high-security data centers. This ensures that no data is transferred abroad and that control is always maintained.
Particularly important: the further development of AI takes place entirely in Germany. This means that not only the processing, but also the training and improvement of the models take place in the same secure environment. This is a decisive advantage for banks and insurance companies, as regulatory requirements such as the GDPR are consistently complied with.
Many international providers develop their models in global environments, often with servers in the US or Asia. Different data protection laws apply there, which can allow third parties to access data. Gini deliberately takes a different approach: We combine state-of-the-art AI research with German legal and security culture.
This creates trust among partners and end customers alike because the AI is not only technically advanced but also based on a local, transparent, and legally compliant infrastructure.

Technology and partnerships you can trust

Our Gini Photo Payment is firmly integrated into the apps of many leading banks, including DKB, Deutsche Bank, comdirect, numerous savings banks, and Volks- und Raiffeisenbanken. Millions of users rely on it every month to pay their bills in a user-friendly and secure manner. Banks are among the most strictly regulated institutions in existence. Before a technology such as our photo payment is integrated into a banking app, it undergoes comprehensive testing in the areas of data protection, security, stability, and compliance. While other providers often market their solutions directly to end customers, Gini works closely with banks and insurers. This means that our technology meets user expectations and the high requirements of regulatory authorities and internal compliance teams.

Transparency instead of a black box

From AI development and platform architecture to operation in certified data centers in Germany, everything at Gini is controlled in-house. Our hosting environments are tested, our processes are clearly documented, and can be traced at any time. You can find more information at https://trust.gini.net/ in the document “About Our Cloud Service For Our Customers.”
Where external services are used, they are exclusively provided by data center operators in Germany. These services are verifiably GDPR-compliant, work according to tested security standards, and are legally secured by data processing agreements. This ensures transparency at all times regarding where data is processed, who has access to it, and how security is guaranteed.
For us, this means no black box, but a clear, verified framework that banks, insurance companies, and millions of end customers understand and can trust.