Kirla Web-ServicesWeb-Services und digitale Produkte.

№ 58

Auflage 0

Zurück zur Tagesansicht

Ressort: Künstliche Intelligenz

Anthropic gives EU agency access to security AI Mythos

AI-generiertVerfasst: 2. Juni 2026, 12:54 MESZKünstliche Intelligenz· laufender Verlauf

US company Anthropic is providing its language model Mythos to the European cybersecurity agency ENISA. The AI system can detect network vulnerabilities – but also poses significant risks to critical infrastructure.

Anthropic has committed to granting EU cybersecurity agency ENISA access to its new language model Mythos. Handelsblatt reports that the AI tool is already being used by numerous US firms and is exceptionally skilled at identifying vulnerabilities in systems.

Strategic step for European security

Providing the model to the European authority is a strategic move: ENISA will be able to test and evaluate the capabilities and potential risks of the technology. Bloomberg reports that Anthropic describes the model as extraordinarily adept at detecting network vulnerabilities – but simultaneously warns that it could pose a significant cybersecurity threat to critical systems.

The collaboration with the EU agency underscores the growing importance of AI security in Europe. While Anthropic grants authorities access to its models, the company is simultaneously preparing for its IPO: Tagesschau reports that Anthropic – known for its AI application Claude – has already filed documents with the US securities regulator. This is the first formal step on the path to going public.

Willingness to cooperate with European regulators

The measure fits into the broader context of European AI regulation. The EU is working to monitor powerful AI systems and minimize their risks. By granting ENISA access to Mythos, Anthropic signals its willingness to cooperate with European regulatory authorities – an important signal at a time when controlling AI security risks is increasingly coming into focus.

Quellen

06:352. Juni 2026bloomberg.com

handelsblatt.com2. Juni 202606:35

06:352. Juni 2026tagesschau.de

lemonde.fr2. Juni 202606:35

06:352. Juni 2026heise.de

sueddeutsche.de2. Juni 202606:35

06:352. Juni 2026feeds.feedburner.com

news.google.com2. Juni 202606:35

Zurück zur Tagesansicht

Cookie-Einstellungen für Kirla Chronicle

Wir verwenden technisch notwendige Cookies und Sicherheitsdienste für Login, Sitzungsschutz und Missbrauchsprävention. Optionale Kategorien (Präferenzen, externe Dienste, Analytics, Marketing) kannst du jetzt erlauben oder ablehnen und später jederzeit ändern.

Datenschutz

Zurück

Version: 2026-04.4

Effective date: 2026-04-29

AI transparency

Kirla Chronicle may use AI to generate or materially transform briefing and news content. These outputs are labeled as AI-generated or created with AI by default unless a provable human-only path is explicitly documented.

Controller and Contact

The controller within the meaning of Art. 4(7) GDPR is the provider identified in the imprint.

Privacy contact: contact@kirla-webservices.com.

Processed Data Categories

Account identity data, authentication/security metadata, profile preference data, briefing content artifacts, billing ledger metadata, and support communications are processed.

Account identity: name, email, account role, verification state.
Authentication/security: session versioning, rate-limit metadata, security event logs.
Product/profile data: topics, regions, scheduling and preference metadata.
Briefing operations: generated briefings, delivery records, source archive metadata.
Billing metadata: wallet movements, references, and reconciliation records.
Checkout and consent evidence: transaction-specific consent for immediate digital performance (timestamp, language, text version, evidence hash).

Personalization Data

Topic profiles are derived and stored from a user's interactions (newsroom clicks, external source clicks, chat, briefing email opens) so the briefings can be tailored to individual interests.

Data categories: click behavior, derived topic weightings, and short AI-assisted notes and summaries on recurring topics.
Legal basis: Art. 6(1)(a) GDPR (consent for the Analytics category) and Art. 6(1)(b)/(f) GDPR (contract performance / legitimate interest in operating the service).
The AI-assisted distillation can be enabled or disabled centrally.
Pause or full deletion at any time via Settings → Privacy.

Briefing Generation, Chat, and AI Processing

Briefings, chat transcripts, and associated metadata (tokens, cost, model, provider, cost category, request purpose) are processed to deliver the core service.

AI processors: OpenAI Ireland Ltd. (Ireland/EU, onward processing USA via SCCs), Anthropic PBC (USA, SCCs), Google Ireland Ltd. / Gemini API (Ireland/EU, onward processing USA via EU-DPF and SCCs), and Manus AI / Butterfly Effect Pte Ltd (Singapore, SCCs).
Retention for AI metadata: 365 days.
Legal basis: Art. 6(1)(b) GDPR (contract performance).

Market Watchlists and Financial Data

Watchlist symbols and OHLCV daily-close data are processed to render the market strip. Requests to external market-data APIs contain only ticker symbols — no personal data.

Providers: Finnhub Inc. (USA), Yahoo Finance — all retrieved server-side without transmitting PII.
Since no personal data is transmitted, a Chapter V GDPR transfer mechanism is not required.
Legal basis: Art. 6(1)(b) GDPR.

Payment Data and Purchase Consent Evidence

Payment status, payment-provider customer identifier, credit balances, and the transaction-bound consent timestamp for immediate digital performance (including the language and version state of the consent) are retained for legal reasons.

Legal basis: Art. 6(1)(b) and (c) GDPR in conjunction with § 356(5) German Civil Code.
Retention: 10 years (tax/commercial law); purchase consent evidence at least 3 years (§ 195 German Civil Code).
Recipient: payment processor based in the USA, DPF-certified.

Email Delivery and Open-Pixel Tracking

Email address, delivery status, and message identifier are processed to deliver briefing emails. With active consent to the Marketing category, the fact and timing of opening a briefing email may also be recorded — consent is stored as an opt-in flag on the account.

Legal basis for delivery: Art. 6(1)(b) GDPR.
Legal basis for the open pixel: Art. 6(1)(a) GDPR and § 25(1) TTDSG (ePrivacy).
Withdrawal at any time via Settings → Privacy; no pixel is shipped without consent.

Engagement Credits and Novelty Tracking

Normalized topic labels, anonymous counters, and engagement-credit events (novelty bonus, referral rewards, anti-abuse counters) are processed in aggregate. Aggregate counters do not allow identification of individuals.

Optional Data Sharing (Trend Reports, Market Research, Recommendations, Surveys)

Four optional use cases are available exclusively after express prior consent and are disabled by default: anonymized topic trend analyses (aggregate trend reports), invitations to voluntary market research studies, product recommendations with partner links, and invitations to remunerated surveys. None of this processing takes place without consent.

For aggregate analyses, interaction data is processed exclusively under a yearly-rotating pseudonym and is only shared in groups of at least 50 persons (k-anonymity). Individual profiles, real names, or email addresses are neither shared nor sold.

Legal basis: Art. 6(1)(a) GDPR (consent); each purpose can be enabled and revoked individually.
Withdrawal at any time via Settings → Data sharing; withdrawal takes effect for the future. Anonymous aggregates already produced contain no personal reference and remain in place.
Consent evidence: timestamp, purpose, decision, and text version are logged (current version: 2026-06-11); IP addresses are stored exclusively as a keyed hash, the user agent in truncated form.
Voluntary self-declaration: industry, role, and company size may optionally be provided and feed into anonymous analyses exclusively as a cohort attribute; the entries can be deleted at any time in the settings.
Internal activity score: a 7-, 30-, and 90-day activity value is maintained per pseudonym for quality assurance; it does not leave the provider's systems, is deleted after 90 days at the latest, and is removed promptly upon full withdrawal.
Retention: consent evidence at least 3 years (§ 195 German Civil Code); pseudonymous analysis data (activity scores) at most 90 days; session keys and target URLs are removed from raw events after 30 days at the latest, and the account association of session-bound raw events after 90 days at the latest.

Processing Purposes

Data is processed to operate the service, secure accounts, deliver briefings, support billing operations, and provide support/compliance responses.

Account creation, login, password recovery, and account security.
Briefing generation, email delivery, and user-facing archives.
Billing balance handling and transaction transparency.
Service abuse prevention, diagnostics, and incident investigation.

Legal Bases

Processing is generally based on contract performance, legal obligations, and legitimate interests in operating and securing the service.

Optional cookie/service categories are processed on a consent basis and remain inactive until consent is recorded.

Recipients and Processors

Data processing agreements per Art. 28 GDPR are in place with all subprocessors.

Hosting and database service – dedicated server in Germany/EU
Email delivery service – transactional SMTP delivery from Germany/EU
OpenAI Ireland Ltd. – AI-assisted briefing generation; processes profile details such as topic preferences (Ireland/EU; onward processing by OpenAI L.L.C. USA under Standard Contractual Clauses)
Anthropic PBC – AI inference with Claude models for selected briefing and chat steps (USA; Standard Contractual Clauses per Art. 46(2)(c) GDPR)
Cloudflare Inc. – Turnstile bot protection and CDN/DDoS protection (USA; EU-DPF-certified with supplemental EU Standard Contractual Clauses)
Manus AI (Butterfly Effect Pte Ltd) – AI-assisted source enrichment (Singapore; Standard Contractual Clauses per Art. 46(2)(c) GDPR)
Google Ireland Ltd. (Gemini API) – AI inference on selected generation steps (Ireland/EU; onward processing by Google LLC USA under EU-DPF and supplemental Standard Contractual Clauses)

External Data Sources

Public reference sources are retrieved server-side to enrich the newsroom (e.g. market tiles). These requests originate from the server only — the user's browser does not contact these providers directly, and no personal data is transmitted.

The following data sources are currently in use:

Yahoo Finance (https://finance.yahoo.com): price and chart data for indices (DAX 40, S&P 500), commodity futures (Brent, gold), cryptocurrencies (Bitcoin), and FX pairs (EUR/USD, EUR/GBP). Server-side retrieval via the public chart API without an API key.

International Transfers

Hosting, Datenbank-Betrieb und SMTP-Versand erfolgen ausschließlich auf Servern in Deutschland/EU. KI-Inferenz erfolgt teilweise im EU-Raum (OpenAI Ireland Ltd. mit Unterauftragsverarbeitung durch OpenAI L.L.C. USA sowie Google Ireland Ltd. mit Unterauftragsverarbeitung durch Google LLC USA — jeweils auf Basis von Standardvertragsklauseln gem. Art. 46(2)(c) DSGVO und ergänzendem EU-DPF) und teilweise direkt in den USA (Anthropic PBC) bzw. Singapur (Manus AI / Butterfly Effect Pte Ltd) auf Basis von Standardvertragsklauseln gem. Art. 46(2)(c) DSGVO. Cloudflare Inc. (USA) ist EU-DPF-zertifiziert und ergänzend mit EU-Standardvertragsklauseln abgesichert.

Retention and Deletion

Personenbezogene Daten werden nur so lange gespeichert wie für die Leistungserbringung oder die Erfüllung gesetzlicher Aufbewahrungspflichten erforderlich. Briefing-Verläufe und zugehörige Nutzungs-/Kostendaten werden nach Kontoschließung gelöscht oder anonymisiert; handels- und steuerrechtlich relevante Unterlagen bleiben für die gesetzlichen Aufbewahrungsfristen erhalten.

Deletion requests are handled via support at support@kirla-webservices.com.

Account data: until account deletion; followed by a 14-day grace period.
Billing metadata and tax-relevant records: 10 years (§ 257 HGB, § 147 AO).
Purchase consent evidence (digital content): at least 3 years (§ 195 German Civil Code).
Security and audit logs: 365 days.
AI processing metadata (tokens, costs, model, provider, cost category): 365 days.
Topic profiles and AI-assisted summaries: until withdrawal of Analytics consent or pause/deletion via Settings → Privacy.
Optional data sharing: consent evidence at least 3 years (§ 195 German Civil Code); session keys and target URLs removed from raw events after 30 days at the latest, account association of session-bound raw events after 90 days at the latest; pseudonymous activity scores at most 90 days; anonymous aggregates without personal reference indefinitely.
Aufbewahrungsausnahmen ergeben sich aus handels- und steuerrechtlichen Pflichten (10 Jahre Billing-Metadaten gem. § 257 HGB / § 147 AO), aus Kaufzustimmungs-Nachweisen (mindestens 3 Jahre gem. § 195 BGB) sowie aus Sicherheits-Logs (365 Tage). Personenbezogene Daten ohne gesetzliche Aufbewahrungspflicht werden mit Kontolöschung gelöscht oder anonymisiert.
Security and abuse-prevention records may be retained for legitimate interests and legal obligations.
Anonymization vs deletion policy: Wo eine vollständige Löschung wegen gesetzlicher Aufbewahrungspflichten nicht möglich ist (insbesondere Billing- und Kaufzustimmungs-Daten), werden personenbezogene Bezüge entfernt oder durch pseudonymisierte Surrogate ersetzt. Die so anonymisierten Daten lassen keinen Rückschluss auf die betroffene Person mehr zu.

Data Subject Rights

Users may request access, rectification, deletion, restriction, objection, and data portability where applicable under law.

Requests can be submitted via support contact channels listed on the contact page.

Cookies and Consent Categories

Strictly necessary cookies serve authentication and session security as well as storage of the cookie consent including version state.

A preference cookie stores the selected interface language — and only after an explicit language switch and consent to the preferences category.

Cloudflare Turnstile is used as a technically necessary anti-bot security control for login, registration, contact, and password-reset forms.

One or more optional consent categories are available in this deployment and controlled through cookie settings.

Consent can be updated or withdrawn at any time via the “Cookie settings” link in the footer.

Necessary: always enabled for core security and sign-in behavior.
Preferences: available by consent (currently used for locale persistence).
External services: available by consent (currently not required for Turnstile).
Analytics: configured as inactive in this deployment.
Marketing: configured as inactive in this deployment.

Security, Logging, Account, Billing, and Email Flows

Security events, account recovery, verification, billing reconciliation, and delivery operations generate operational logs and metadata required to run and secure the service.

Password reset and account security events.
Rate-limit and abuse prevention telemetry.
Billing wallet and reconciliation event metadata.
Email verification and delivery status records.

Complaints and Supervisory Authority

Supervisory authority: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Gustav-Stresemann-Ring 1, 65189 Wiesbaden

Inquiries can alternatively be directed first to the controller or to support.