ANUNA — TRUST & COMPLIANCE
Last reviewed: May 2026
OVERVIEW
This page is written for the compliance officer, procurement lead, or founder assessing Anuna as a vendor. It documents how we handle your data, where AI sits in our workflow, and which regulatory frameworks govern our practice. We review it quarterly and update it when our practices or applicable regulations change.
Anuna is an Estonian OÜ operating under EU law. Our team is based across France, Germany, the United Kingdom, and Estonia.
WHERE AI IS USED
Previsualisation. Before a single frame is captured or rendered, we use AI tools to plan shots, block compositions, and set lighting. This is a planning layer. Your technical data is not involved.
Colour grading and post-production. AI-assisted tools support colour grading and finishing. They process the output of our creative work, not the inputs you provide us.
Platform analytics. For social and campaign work, AI-powered analytics tools track content performance, audience behaviour, and platform metrics. The data at this layer comes from the platforms, not from you.
WHERE AI IS NOT USED
We do not use generative AI to produce any client-facing deliverable. Films, motion graphics, photography, 3D visualisations, and everything else we deliver is made by our team.
Your technical data never enters our AI pipeline at any stage of production. That covers product specifications, system architecture, CAD files, simulation outputs, and any sensitive operational information you share with us.
DATA HANDLING AND STORAGE
Your data is held on infrastructure matched to your jurisdictional requirements. European engagements default to EU-based storage. US engagements default to US-based storage on infrastructure with the appropriate authorisations for your data type.
Your materials sit on encrypted storage. Access is role-based and fully logged. Backups are encrypted and held under the same jurisdictional terms as the originals.
We retain your materials for the duration of the engagement plus an archival period we agree with you at the outset. When that period ends, your materials are securely deleted.
The specifics, including storage architecture, encryption standards, access controls, and retention terms, are documented in the data processing agreement we sign before any work begins.
SUBPROCESSORS
We use a defined set of third-party tools across our production workflow:
Cloud storage and file transfer, jurisdiction-matched to your requirements
3D and motion design software, including Cinema 4D, Blender, Unreal Engine 5, and Unity
Post-production tools, covering editorial, colour, and finishing suites
Platform analytics tools, used for social and campaign work only, never on your technical data
Communication and project management infrastructure
A current list of subprocessors is available on request. If we make any material change to that list during your engagement, we give you 30 days' written notice before the change takes effect.
REGULATORY FRAMEWORKS
We structure our workflow around your compliance environment. The sections below cover the jurisdictions where our current and prospective clients are based. If your jurisdiction is not listed, raise it during onboarding and we will document the framework we will work under.
EU BASELINE
Every engagement with a client based in an EU Member State sits within the following framework:
GDPR. Governs all personal data we process in connection with your work. We act as a data processor on your behalf, with the specific terms set out in a data processing agreement.
EU AI Act. Article 50 transparency obligations apply to providers and deployers of generative AI from 2 August 2026, with a three-month transitional period for systems already on the EU market before that date, following the May 2026 Digital Omnibus agreement. Because every client-facing deliverable we produce is human-made, our work does not fall within the scope of Article 50 labelling and marking obligations for AI-generated content.
EU Dual-Use Regulation 2021/821. Governs export, brokering, technical assistance, transit, and transfer of dual-use items. The most recent Annex I update, Delegated Regulation 2025/2003, entered into force on 15 November 2025. We are aware of how this regulation interacts with the technical content we may handle and structure our workflow accordingly.
NIS2 (Directive 2022/2555). Member State transposition is uneven as of May 2026. Germany's implementation entered into force on 6 December 2025; France's implementing law remains in parliamentary process. Where you are classified as an essential or important entity under your national NIS2 transposition, our work is structured to support your obligations on supply chain risk management and incident reporting.
EU Classified Information (EUCI). Where an engagement touches EUCI at RESTREINT UE / EU RESTRICTED, CONFIDENTIEL UE / EU CONFIDENTIAL, or higher, we work to the Programme Security Instructions and Commission Decision (EU, Euratom) 2015/444. For RESTREINT UE / EU RESTRICTED material handled on our communication and information systems, we work to the minimum requirements set out in Annex D of the standard EDF Programme Security Instruction. Higher classification levels require a Facility Security Clearance from the relevant National Security Authority, granted via bilateral coordination with our Estonian competent authority.
FRANCE
Defence classification. Information classified at the national level falls under Interministerial General Instruction No. 1300 (IGI 1300 / SGDSN / PSE / PSD, 9 August 2021), administered through ANSSI and SGDSN. The 2021 reform of national defence secrecy established two levels: Secret and Très Secret. Engagements involving classified material at Secret level or above require facility and personnel clearance granted under IGI 1300, including specific provisions where the legal entity is foreign-incorporated.
Restricted dissemination. Material classified as Diffusion Restreinte (DR), which sits below the IGI 1300 classification levels, is governed by Instruction No. 901 (II 901 / SGDSN / ANSSI) on the organisational and technical protection of sensitive information systems.
Cybersecurity. We align with ANSSI guidance on the protection of sensitive information systems. For engagements with operators of essential or important services under the French NIS2 implementation, we operate to the supervisory framework administered by ANSSI.
Personal data. CNIL is the supervisory authority for personal data; GDPR applies as the primary framework.
GERMANY
Defence classification. The German federal classification system has four levels: VS-NUR FÜR DEN DIENSTGEBRAUCH (VS-NfD, equivalent to NATO/EU RESTRICTED), VS-VERTRAULICH, GEHEIM, and STRENG GEHEIM. Handling is governed by the Security Clearance Act (Sicherheitsüberprüfungsgesetz, SÜG) and the Manual on the Safeguarding of Classified Information (Geheimschutzhandbuch, GHB), administered by BMWE and the Federal Office for Information Security (BSI). For VS-NfD engagements, we operate to the VS-NfD Code of Practice (Annex 4 to the GHB), including the encryption requirements set out in BSI Technical Guideline TR-02102 and the IT-Grundschutz CON.11.1 component. Engagements at VS-Vertraulich or higher require a formal agreement with BMWE, a dedicated security officer, and personnel clearances under the SÜG.
Cybersecurity. Operators classified as essential or important entities under the German NIS2 implementation (NIS2UmsuCG, in force from 6 December 2025) are required to register with the BSI, with the initial registration deadline falling in April 2026. Where you operate in a KRITIS sector, we structure our workflow to support your reporting obligations under the amended BSI Act.
Export control. Federal Foreign Trade and Payments Act (AWG) and the Foreign Trade and Payments Ordinance (AWV) implement EU Dual-Use Regulation 2021/821 at the national level, administered by BAFA.
Personal data. Federal Data Protection Act (BDSG) operates alongside GDPR; state-level data protection authorities apply.
UNITED KINGDOM
Defence classification. UK MOD information is classified under the Government Security Classifications policy at OFFICIAL, OFFICIAL-SENSITIVE, SECRET, and TOP SECRET. Protective security for MOD engagements is governed by Joint Service Publication 440 (Defence Manual of Security) and Joint Service Publication 604 (IT systems security).
Cybersecurity. We operate to the requirements of the Defence Cyber Protection Partnership (DCPP) Cyber Security Model. Where DEFCON 658 (Cyber) is flowed down in your contracts, we work to the DEFSTAN 05-138 baseline at the Cyber Risk Profile applicable to the engagement, with Supplier Assurance Questionnaire responses available on request. Cyber Essentials Plus certification is maintained for engagements where MOD Identifiable Information (MODII) is involved. We align with NCSC guidance and are tracking the forthcoming Cyber Security and Resilience Bill.
Export control. UK Strategic Export Controls under the Export Control Order 2008, administered by the Export Control Joint Unit (ECJU).
Personal data. UK GDPR and the Data Protection Act 2018; the Data (Use and Access) Act introduces further provisions which we are tracking.
FINLAND
Defence classification and security clearance. National classification operates at four levels: ERITTÄIN SALAINEN, SALAINEN, LUOTTAMUKSELLINEN, and KÄYTTÖ RAJOITETTU. Defence and dual-use engagements are governed by the Finnish criteria for industrial security (KATAKRI), administered by the National Security Authority (NSA) within the Ministry for Foreign Affairs, with technical assessment carried out by the Finnish Transport and Communications Agency (Traficom NCSA-FI).
Cybersecurity. Finland transposed NIS2 through the Cybersecurity Act, with Traficom acting as the lead supervisory authority. For engagements with operators of essential services, we work to KATAKRI controls at the level required by the contract.
Export control. Implements EU Dual-Use Regulation 2021/821 nationally; defence material export controls are administered by the Ministry of Defence.
PORTUGAL
Defence classification. Protection of classified information is governed by the National Security Authority (GNS) under the Prime Minister's Office, with classification levels aligned to NATO and EU standards. Facility and personnel clearances for engagements involving SECRETO and above are granted via GNS.
Cybersecurity. NIS2 is transposed through Law 46/2018 (as updated); the Portuguese National Cybersecurity Centre (CNCS) acts as the lead authority. For operators of essential services, we work to the National Reference Framework for Cybersecurity.
Export control. Implements EU Dual-Use Regulation 2021/821 nationally; defence exports are administered by the Directorate-General for National Defence Resources (DGRDN).
NETHERLANDS
Defence classification. Dutch classification operates at STG. ZEER GEHEIM, STG. GEHEIM, STG. CONFIDENTIEEL, and DEPARTEMENTAAL VERTROUWELIJK. Defence engagements are governed by the General Security Requirements for Defence Contracts (ABDO 2024). Industrial security is administered by the Military Intelligence and Security Service (MIVD).
Cybersecurity. NIS2 is transposed through the Network and Information Systems Security Act (Wbni), with NCSC-NL as the lead authority for essential entities and DTC for important entities.
Export control. Implements EU Dual-Use Regulation 2021/821 nationally; defence exports are administered by the Central Import and Export Office (CDIU) under Dutch Customs.
ESTONIA
Defence classification. National classification is set out in the State Secrets and Classified Information of Foreign States Act, with levels TÄIESTI SALAJANE, SALAJANE, KONFIDENTSIAALNE, and PIIRATUD. Industrial security is administered by the Estonian Internal Security Service (KAPO) for civilian engagements and the Estonian Defence Forces Intelligence Centre for military engagements.
Cybersecurity. Estonia is one of the most mature jurisdictions on cybersecurity governance in the EU. We work to the Estonian Information Security Standard (E-ITS), administered by the Estonian Information System Authority (RIA). NIS2 is transposed through the Cybersecurity Act, with RIA as the lead competent authority.
Export control. Implements EU Dual-Use Regulation 2021/821 nationally; defence exports are administered by the Strategic Goods Commission.
Anuna's domicile. As an Estonian OÜ, our operating, tax, and corporate framework sits under Estonian law. This is the default jurisdiction for our contracts unless your engagement requires otherwise.
POLAND
Defence classification. The Protection of Classified Information Act 2010 sets out four levels: ŚCIŚLE TAJNE, TAJNE, POUFNE, and ZASTRZEŻONE. Industrial security certificates (świadectwo bezpieczeństwa przemysłowego) are issued by the Internal Security Agency (ABW) for civilian contracts and by the Military Counterintelligence Service (SKW) for defence contracts. Engagements at CONFIDENTIAL (POUFNE) and above require a dedicated security officer, a Classified Information Protection Plan, and in many cases a kancelaria tajna (secret office) for document handling.
Cybersecurity. Poland's NIS2 transposition is administered through the National Cybersecurity System; the relevant sectoral CSIRTs handle incident reporting depending on your classification.
Export control. Implements EU Dual-Use Regulation 2021/821 nationally; defence exports are administered by the Ministry of Development and Technology with security input from ABW and SKW.
SWITZERLAND
Defence and dual-use export control. Swiss export control sits under the War Material Act (KMG) and War Material Ordinance (KMV), and the Goods Control Act (GKG) and Goods Control Ordinance (GKV), all administered by the State Secretariat for Economic Affairs (SECO), in coordination with the Federal Department of Foreign Affairs (FDFA). Swiss neutrality imposes additional constraints on the destinations to which material can be shipped, and we structure our workflow to respect them.
Classified information. The Federal Act on Information Security (ISG, in force since 1 January 2024) consolidates the protection of federal classified information, replacing the earlier Information Protection Ordinance. Levels are INTERN, VERTRAULICH, and GEHEIM. Defence engagements involving classified information are administered by the Federal Department of Defence (DDPS).
Personal data. Federal Act on Data Protection (revFADP), in force since 1 September 2023.
UNITED STATES
We structure our workflow to support clients operating under US frameworks. Specific provisions are discussed during onboarding.
Export control. International Traffic in Arms Regulations (ITAR), administered by the Directorate of Defense Trade Controls (DDTC), and Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS).
Cybersecurity Maturity Model Certification (CMMC). The final DFARS rule incorporating CMMC 2.0 through clause 252.204-7021 was published on 10 September 2025 and is enforceable across the Defense Industrial Base. We are aware of how Level 1, Level 2, and Level 3 requirements affect the data we may handle on your behalf, and structure our environment to support contractors operating under DFARS 252.204-7012 and the 110 controls of NIST SP 800-171 Revision 2. For CUI handling, we work with US-jurisdictioned infrastructure carrying the appropriate authorisations.
National Defense Authorization Act FY 2026. Public Law 119-60, signed 18 December 2025. Section 1513 directs the DoD to develop a physical and cybersecurity procurement framework for covered AI and ML systems, to be implemented as an extension of CMMC. The DoD's status report to Congress is due by 16 June 2026. We are tracking the framework's development and will align our practices as it is incorporated into the DFARS.
Personal data and sectoral frameworks. State privacy laws apply alongside federal sectoral frameworks; specific provisions are agreed during contracting.
ISRAEL
Defence export control. The Defense Export Control Law (5767-2007), administered by the Defense Export Control Agency (DECA) within the Israeli Ministry of Defense. Registration in DECA's Defense Export Registry is a prerequisite for any defence export activity, with marketing licences, item-level IDs, and export licences required at the relevant stages. We are aware that even marketing activities and signed MOUs can require licences under the 2007 Act, and we structure engagements accordingly.
Dual-use export control. Administered by the Export Control Division of the Ministry of Economy and Industry (MOE) for non-defence end uses, with the cryptography framework consolidated into MOE and DECA controls following the 2026 revocation of the Encryption Order.
Personal data. Israel Privacy Protection Law (PPL) and the regulations issued by the Privacy Protection Authority. Israel is recognised under an EU adequacy decision for personal data transfers.
AUSTRALIA
Defence Industry Security Program (DISP). Membership in DISP is required for engagements involving Defence information. We operate to the Defence Security Principles Framework (DSPF) and the Protective Security Policy Framework (PSPF) at the membership level appropriate to the engagement. As of 15 November 2025, DISP requires full ASD Essential Eight Maturity Level 2 across the corporate IT environment used to engage with Defence; we work to that standard for all Australian defence engagements.
Personnel security. Australian Government Security Vetting Agency (AGSVA) clearances, with workforce screening conducted under AS4811-2022.
Export control. Defence Trade Controls Act 2012, administered by the Defence Export Controls Office (DECO) within the Department of Defence. AUKUS implementation continues to expand interoperability requirements between Australian, UK, and US defence contractors, which we are tracking.
Critical infrastructure. Security of Critical Infrastructure Act 2018 (SOCI Act) where you are designated as a critical infrastructure entity.
Personal data. Privacy Act 1988 and the Australian Privacy Principles.
OTHER ALLIED NATIONS
For clients in jurisdictions not specifically named above, we align with the relevant national framework, including those of New Zealand, Canada, Japan, the Republic of Korea, and the Nordic states. If your jurisdiction is not covered here, raise it during onboarding and we will document the framework before work begins.
STANDARDS WE WORK TO
Our internal practices are benchmarked against the NIST SP 800 series cybersecurity guidance and the NIST AI Risk Management Framework, both of which are widely used across allied nations as international operational standards. We are actively evaluating ISO 27001 and ISO 42001 certification pathways.
ENGAGEMENT AND CONTRACTING
NDAs. We sign an NDA before any substantive conversation. We work with your form or provide our own.
Data processing agreements. Signed before any work involving personal or sensitive data. We provide a standard form or work from yours.
Security questionnaires. We complete security questionnaires as part of vendor onboarding and respond within five business days of receipt.
Vendor security assessments. We support documentation requests, audit clauses, and supply chain risk assessments within the same five-business-day window.
Incident notification. If a security incident affects your materials, we notify you without delay. For personal data incidents under GDPR, you hear from us within 24 hours of our becoming aware, giving you time to meet your own 72-hour notification obligation to your supervisory authority. Material incidents that do not involve personal data are reported within 48 hours.
CONTACT AND UPDATES
This page is reviewed quarterly. If you have a compliance question, need a data processing agreement, or want to discuss a specific security requirement, contact us directly at compliance@anuna.cc.