INFO SEARCH9.3 h / wk per worker · McKinsey·WORK ABOUT WORK60% of work time · Asana 2024·ITALIAN SMBs · STRUCTURED AI6.9% (10-249 emp.) · Anitec-Assinform 2025·AI PROJECTS · SMB vs LARGE8% vs 71% · Polimi 2025·AI ACT ART. 50 · APPLICABLE2 Aug 2026 · EU 2024/1689·GARANTE FINE · CAREGGI€80,000 · Provv. 474/2025·MAX AI ACT FINES€35M or 7% turnover · art. 99·ITALIAN AI MARKET 2024€900M · +38.7% YoY · Anitec·INFO SEARCH9.3 h / wk per worker · McKinsey·WORK ABOUT WORK60% of work time · Asana 2024·ITALIAN SMBs · STRUCTURED AI6.9% (10-249 emp.) · Anitec-Assinform 2025·AI PROJECTS · SMB vs LARGE8% vs 71% · Polimi 2025·AI ACT ART. 50 · APPLICABLE2 Aug 2026 · EU 2024/1689·GARANTE FINE · CAREGGI€80,000 · Provv. 474/2025·MAX AI ACT FINES€35M or 7% turnover · art. 99·ITALIAN AI MARKET 2024€900M · +38.7% YoY · Anitec·INFO SEARCH9.3 h / wk per worker · McKinsey·WORK ABOUT WORK60% of work time · Asana 2024·ITALIAN SMBs · STRUCTURED AI6.9% (10-249 emp.) · Anitec-Assinform 2025·AI PROJECTS · SMB vs LARGE8% vs 71% · Polimi 2025·AI ACT ART. 50 · APPLICABLE2 Aug 2026 · EU 2024/1689·GARANTE FINE · CAREGGI€80,000 · Provv. 474/2025·MAX AI ACT FINES€35M or 7% turnover · art. 99·ITALIAN AI MARKET 2024€900M · +38.7% YoY · Anitec·
LemniaBUSINESS
IT·ENRequest a pilot
TRUST CENTER · 2026 COMPLIANCE

Defensible posture, exportable for the DPO.

AI Act art. 50, GDPR, NIS2 D.Lgs. 138/2024, Garante Provv. 474/2025. Per-niche DPIA pre-signed, BLAKE3-signed processing register, automatic export of GDPR Art. 30 artifacts.

AI ACT ART. 50

Transparency obligations, by design.

EU Reg. 2024/1689 Art. 50 enters into force on 2 August 2026. The transparency obligations apply to every AI system used in the EU: human-machine interaction disclosure, synthetic-content marking, biometric-recognition disclosure, deep-fake labelling.

Lemnia is classified as a limited-risk AI system. Every dossier, every report and every voice answer carries an AI-generation footer. Every query is logged in a BLAKE3-signed processing register, exportable for the auditor or the court. Strict-pack outputs (dunning, quotation, supplier-risk brief) admit no hedging; hedged-pack outputs (customer dossier, business-knowledge dossier) use a per-pack whitelist of marker phrases.

NIS2 D.LGS. 138/2024

Cybersecurity surface, ready for the ACN audit.

  • Access log

    Every login, every dossier read, every report export captured with timestamp, device id and user attribution. Exportable per the access-log schema published by Agenzia per la Cybersicurezza Nazionale.

  • Patch management

    Lemnia engine updates ship signed (Ed25519). Update cadence: critical security ≤ 24h, regular ≤ 14d. Verifier shows the patch chain back to the binary on disk.

  • Separation of duties

    Tenant-scoped RBAC inherited from the source systems. Admin role is distinct from DPO role is distinct from operator role. Action attribution preserved in the signed register.

  • BCP / DR

    Local backup of the graph store + blob store run nightly to a tenant-controlled volume. Restore-test artefacts surfaced quarterly via report R10.

PER-NICHE DPIA

Pre-signed template, tailored by sector.

Lemnia ships a per-niche DPIA template (Garante Provv. 467/2018 schema) pre-filled with the data flows, retention windows, sub-processor list, and the risk-mitigation measures specific to the sector — manufacturing, distribution, services, professional studios, e-commerce.

The DPO reviews and signs. No drafting from scratch. The signed DPIA enters the company's GDPR Art. 30 documentation set, alongside the BLAKE3-signed processing register that Lemnia exports on demand.

SIGNED PROCESSING REGISTER

BLAKE3 per query, exportable on one click.

Every interrogation Lemnia handles enters an append-only log. Each entry carries: timestamp, tenant id, operator id, query text (or voice transcription), retrieval graph path, source citations, output text, model hash. The entire entry is sealed BLAKE3.

Export formats: PDF (signed) for the auditor, JSON-LD (signed) for the DPO's records system, CSV (signed) for spreadsheet review. The register satisfies GDPR Art. 30 record-of-processing requirements and the evidentiary standard suggested by Tribunale di Siracusa 338/2026.

SUB-PROCESSOR LIST

Empty by design — except cloud-burst (Pro mode).

Lemnia in its default deployment (T1 standalone, T2 LAN, T3 sovereign on-prem) has no sub-processors. Data never leaves the customer's hardware. The sub-processor list is empty.

When the customer opts in to cloud-burst (Pro mode, ingest + long-generation only), the sole sub-processor is the EU-hosted GPU provider (currently RunPod EU; migration to Hetzner SEV-SNP planned per CST.91). Each cloud-burst batch requires explicit per-batch consent, captured in the signed register.

CERTIFICATIONS

ISO 27001 + SOC 2 Type II — in progress.

Lemnia s.r.l. has begun the ISO/IEC 27001:2022 certification process with a Stage-1 audit scheduled for Q3 2026 and Stage-2 for Q1 2027. SOC 2 Type II observation window opens Q2 2026 with a 12-month observation closing Q1 2027.

Interim assurance: full Trust Center pack (sub-processor list, security policies, key-rotation policy, retention schedule, audit-log sample) available under mutual NDA. Contact: dpo@lemnia.app.

FOUNDER PROGRAM · LIMITED SEATS

Lemnia working on a real company's data.

A 30-minute demo, tailored to your industry. Lemnia composes a real customer's dossier, cites the sources line by line, and shows the signed register ready for the DPO.

Request a pilotDownload the technical dossier