"The all-in-one AI platform for businesses — Turnkey, Secure & GDPR-compliant"
Omnifact is a B2B AI platform for the secure use of generative AI in businesses. It combines team chat with multiple LLM providers, document-based AI assistants via Spaces, integrations, API access, privacy filters, role/team management, and optional enterprise deployment up to on-premise. The platform is clearly focused on data sovereignty, compliance, and integration into enterprise IT.
Omnifact
The all-in-one AI platform for businesses — Turnkey, Secure & GDPR-compliant
Location: Germany ⓘ Omnifact GmbH, Hansaallee 154, 60320 Frankfurt am Main, Germany
Spaces API / Self-Hosted LLMs / BYOK For enterprise integrations, internal knowledge assistants, your own model infrastructure, and controlled model usage.
Target audience
Omnifact is clearly aimed at companies, public authorities, and other organizations with increased needs for data protection, traceability, and controllable AI usage. The platform is particularly well suited for IT, data protection, compliance, specialist departments, knowledge work, public administration, as well as regulated industries such as the financial and healthcare sectors. Through its Pro and Enterprise structure, Omnifact addresses both small to medium-sized teams and large organizations with complex infrastructure and governance requirements.
Outstanding features
The most important differentiating features are the Privacy Filter™ for automatic masking of sensitive data, Spaces as document-based AI assistants built on internal knowledge, multi-LLM support with control over providers and models, BYOK, API access, integrations with OneDrive, SharePoint, and Google Drive, as well as role-based administration with SSO/SCIM. In addition, Omnifact offers web browsing, image generation, document analysis, and publishable Spaces as API endpoints for external applications.
Main use cases
Omnifact is particularly strong in internal knowledge management, research across company documents, secure team chats, policy-aligned assistance in regulated environments, creating and revising business texts, document comparison, and AI-supported integration into existing enterprise systems. Via Published Spaces and the Public API, specialized assistants can also be integrated into websites, Slack bots, or internal tools.
Usage & notes
Omnifact is not a typical consumer tool, but a structured business platform. Data protection assessment in particular depends on the specific setup: SaaS in Germany/EU is well documented, while depending on team settings, external LLM providers can also be integrated. It is also important to note that although the Privacy Filter provides strong protection by default, it is automatically disabled for Published Spaces via API and must therefore be deliberately secured.
| Target audience | Assessment |
|---|---|
| SMEs / Teams | Very suitable – for secure AI chat, internal knowledge spaces, model access, and controlled team usage. |
| Large enterprises | Very suitable – due to SSO, on-premise option, self-hosted LLMs, BYOK, usage analytics, and enterprise controls. |
| Privacy-conscious EU companies | Very suitable – Omnifact cites GDPR compliance, ISO 27001, hosting in Germany, and EU data residency. |
| IT and AI teams | Very suitable – for centralized model control, LLM selection, Privacy Filter, Spaces API, and controlled AI rollout. |
| Private individuals | Rather unsuitable – Omnifact is clearly geared toward business and enterprise use. |
Hosting & Data
1) On-prem / local hosting
Meaning: The company operates the solution on its own hardware or within its own infrastructure. In the strictest sense, not only the application runs locally, but ideally the model as well.
2) Private cloud / data center
Meaning: The solution runs in a dedicated or more clearly separated cloud environment, often with a hosting provider or hyperscaler, but in a German data center or in a particularly controlled environment.
3) EU SaaS / managed
Meaning: The provider operates the solution itself as a service. The company uses the tool as a ready-made cloud service, ideally with EU data residency.
4) Hybrid
Meaning: One part of the processing remains internal / local / in a private cloud, while another part runs in an external cloud or EU SaaS.
5) AVV / DPA
Meaning: This is the data processing agreement or Data Processing Addendum. It governs that the provider processes personal data on behalf of the customer and is bound by the customer's instructions.
6) No training
Meaning: The provider does not use your prompts, uploads, attachments, chat histories, or outputs for training or improving the general model — ideally excluded by contract.
7) Open-source / transparency path
Meaning: There is a path toward greater technical transparency and sovereignty, for example through:
- open models
- documented components
- self-hostable parts
- traceable architecture
- export / switching options
| On-prem / local hosting | ✅ |
| Private cloud / data center | ✅ |
| EU SaaS / Managed | ✅ |
| Hybrid | ⚠️ |
| DPA / AVV | ✅ |
| No training on customer data | ✅ |
| Open source / transparency path | ⚠️ |
On-Prem / local hosting: covered
The website mentions 'On-premise or EU cloud', 'Deployable anywhere Managed, own cloud or on-premise' as well as optional 'Air-gapped deployment'. This clearly demonstrates local or customer-side hosting.
Private cloud / data center: covered
Omnifact mentions EU cloud options, own cloud, as well as examples such as IONOS and Open Telekom Cloud. This means a separated, controlled cloud/data center deployment in Europe is explicitly intended.
EU SaaS / Managed: covered
The website mentions 'GDPR-compliant hosting', 'Hosted in Germany', customer data processing in Azure Germany West Central (Frankfurt), and EU-hosted models. This clearly documents a managed EU SaaS variant.
Hybrid: partial
A hybrid path can be inferred from the website because Omnifact can integrate custom, fine-tuned, or self-hosted models while also offering managed platform / EU hosting options. However, a standard architecture explicitly described as 'hybrid' is not specifically described on the website.
DPA / DPA: covered
A DPA/AVV is directly available on the website. The DPA page describes a data processing agreement pursuant to Art. 28 GDPR and explains that it becomes effective upon confirmation during registration.
No training: covered
The website explicitly states 'We never use your data to train our models' and that user data is not used for model training. In addition, the Privacy Filter describes that sensitive data is anonymized before external model processing.
Open-source / transparency path: partial
There is a clear transparency and sovereignty path via self-hosted, proprietary, and open-source models; a whitepaper covers the operation of self-operated open-source LLMs, and the platform can integrate proprietary or self-hosted models. However, the website does not describe an open-source release of the Omnifact platform itself; therefore only partial.
Data processing
The website describes data processing in such a way that customer data is processed on the Omnifact platform in Microsoft Azure in Frankfurt. Before being passed on to external models, a Privacy Filter is applied that detects sensitive information and replaces it with placeholders. For model access, providers that can be enabled organization-wide are предусмотрены; additionally, EU-hosted model options are mentioned. The subprocessor directory and the DPA document which external providers may be involved and where third-country risks exist from the perspective of EU/EEA data protection.
Conclusion
For users in the EU/EEA area, according to the information on its own website, Omnifact is overall well positioned for GDPR-compliant use, especially via EU SaaS in Frankfurt or via on-premise / private cloud deployment. Particularly strong points are the DPA, documented subprocessors, EU data residency options, no-training statement, and ISO 27001 certification. Limitations arise where customers deliberately enable non-European or weaker data protection model providers; Omnifact itself points out these risks.
Sources
- https://omnifact.ai/de
- https://omnifact.ai/de/dpa
- https://omnifact.ai/dpa
- https://omnifact.ai/privacy
- https://docs.omnifact.ai/de/platform/core-features/privacy-security/how-privacy-filter-works
- https://docs.omnifact.ai/en/platform/core-features/privacy-security/introduction
- https://omnifact.ai/pricing
- https://omnifact.ai/de/models
- https://omnifact.ai/de/whitepapers/self-hosting-llms-on-premise-enterprise-ai
| On-prem / local hosting | ✅ |
| Private cloud / data center | ✅ |
| EU SaaS / Managed | ✅ |
| Hybrid | ⚠️ |
| DPA / AVV | ✅ |
| No training on customer data | ✅ |
| Open source / transparency path | ⚠️ |
On-Prem / local hosting: covered
The website mentions 'On-premise or EU cloud', 'Deployable anywhere Managed, own cloud or on-premise' as well as optional 'Air-gapped deployment'. This clearly demonstrates local or customer-side hosting.
Private cloud / data center: covered
Omnifact mentions EU cloud options, own cloud, as well as examples such as IONOS and Open Telekom Cloud. This means a separated, controlled cloud/data center deployment in Europe is explicitly intended.
EU SaaS / Managed: covered
The website mentions 'GDPR-compliant hosting', 'Hosted in Germany', customer data processing in Azure Germany West Central (Frankfurt), and EU-hosted models. This clearly documents a managed EU SaaS variant.
Hybrid: partial
A hybrid path can be inferred from the website because Omnifact can integrate custom, fine-tuned, or self-hosted models while also offering managed platform / EU hosting options. However, a standard architecture explicitly described as 'hybrid' is not specifically described on the website.
DPA / DPA: covered
A DPA/AVV is directly available on the website. The DPA page describes a data processing agreement pursuant to Art. 28 GDPR and explains that it becomes effective upon confirmation during registration.
No training: covered
The website explicitly states 'We never use your data to train our models' and that user data is not used for model training. In addition, the Privacy Filter describes that sensitive data is anonymized before external model processing.
Open-source / transparency path: partial
There is a clear transparency and sovereignty path via self-hosted, proprietary, and open-source models; a whitepaper covers the operation of self-operated open-source LLMs, and the platform can integrate proprietary or self-hosted models. However, the website does not describe an open-source release of the Omnifact platform itself; therefore only partial.
Data processing
The website describes data processing in such a way that customer data is processed on the Omnifact platform in Microsoft Azure in Frankfurt. Before being passed on to external models, a Privacy Filter is applied that detects sensitive information and replaces it with placeholders. For model access, providers that can be enabled organization-wide are предусмотрены; additionally, EU-hosted model options are mentioned. The subprocessor directory and the DPA document which external providers may be involved and where third-country risks exist from the perspective of EU/EEA data protection.
Conclusion
For users in the EU/EEA area, according to the information on its own website, Omnifact is overall well positioned for GDPR-compliant use, especially via EU SaaS in Frankfurt or via on-premise / private cloud deployment. Particularly strong points are the DPA, documented subprocessors, EU data residency options, no-training statement, and ISO 27001 certification. Limitations arise where customers deliberately enable non-European or weaker data protection model providers; Omnifact itself points out these risks.
Sources
- https://omnifact.ai/de
- https://omnifact.ai/de/dpa
- https://omnifact.ai/dpa
- https://omnifact.ai/privacy
- https://docs.omnifact.ai/de/platform/core-features/privacy-security/how-privacy-filter-works
- https://docs.omnifact.ai/en/platform/core-features/privacy-security/introduction
- https://omnifact.ai/pricing
- https://omnifact.ai/de/models
- https://omnifact.ai/de/whitepapers/self-hosting-llms-on-premise-enterprise-ai
Strengths & weaknesses at a glance
| Strengths | Weaknesses |
|---|---|
| • Strong focus on GDPR, data protection, and enterprise governance | • Primarily geared toward companies; usually overkill for private individuals |
| • Company headquarters and data storage in Germany/EU documented | • The current pricing page shows only Pro and Enterprise; no traditional permanent free version is apparent |
| • Privacy Filter™ masks sensitive information before transfer to external AI models | • Many enterprise features such as custom LLMs/API keys, SSO, SLAs, Spaces API, on-premise, and a dedicated account manager are Enterprise features |
| • Support for multiple LLM providers such as OpenAI, Anthropic, Google, Mistral, and proprietary models | • Data protection depends heavily on the configuration and the enabled LLM provider; some providers may involve third-country risks or lack DPA coverage |
| • Spaces for internal knowledge databases and RAG-based assistants | • The Privacy Filter can limit useful responses if identity-relevant information is masked and not released via Click to Reveal |
| • On-premise, EU cloud, private cloud, and optional air-gapped deployment documented | |
| • DPA publicly available; ISO/IEC 27001:2022 certification documented according to the DPA |
Reviews
0 reviews in total
There are no confirmed reviews for this tool yet.
Submit review
Your review will only become visible after email confirmation. This protects the portal against abuse.
Report review
Please select the reason why this review should be checked.
GDPR-compliant usage possible?
Omnifact presents several building blocks on its own website for GDPR-compliant use throughout the EU/EEA: DPA pursuant to Art. 28 GDPR, hosting of customer data in Microsoft Azure in the Germany West Central region (Frankfurt), EU-hosted model options, privacy filters to reduce external data sharing, a documented subprocessor register, as well as self-hosting/on-premise options. Since on-premise, private cloud, and EU hosting are also expressly offered, a straightforward path to GDPR-compliant use is clearly described. As a limitation, Omnifact itself points out that for certain activatable providers and US-related subprocessors, additional assessments pursuant to Art. 44 et seq. GDPR may be necessary depending on the configuration.
Positive
Particularly positive are the DPA that becomes effective automatically upon registration, the documented data processing in Frankfurt, the option for EU-hosted models via Google Vertex AI in the 'europe-west' region, the statement 'We never use your data to train our models', the self-hosting/on-premise deployment up to and including air gap, as well as the ISO/IEC 27001:2022 certification.
Negative
Negative or limiting is that Omnifact itself points out possible third-country risks on its own website: For subprocessors headquartered in the USA, US access cannot be ruled out despite EU data storage. In addition, for certain activatable providers such as Groq, it is explicitly noted that currently no DPA is provided and use therefore takes place under the customer's own responsibility. GDPR compliance therefore depends in part on the specific provider and hosting configuration selected.
Server location
For customer data on the Omnifact platform, the website states Microsoft Azure, Germany West Central region (Frankfurt). In addition, the website mentions EU-hosted models via Google Vertex AI with hosting in the 'europe-west' region. Furthermore, Omnifact promotes EU cloud, private cloud, and on-premise; other specific data center locations are only partially specified on the website.