What DecisionOS is, who it is for, how it handles data, and how it differs from generic AI research.
DecisionOS is a decision infrastructure platform for enterprise technology decisions. It turns a fragmented buying process, spreadsheets, slide decks, vendor calls, Slack threads, into one structured workflow that produces an audit-ready decision memo. DecisionOS is built by nexalign GmbH, a Berlin-based company, and hosted entirely in the European Union.
DecisionOS is made by nexalign GmbH, a Berlin-based decision-infrastructure company (Amtsgericht Charlottenburg, HRB 279058). The canonical full product name is DecisionOS by nexalign. The product is reachable at nexalign.io.
No. Several unrelated products share the name. DecisionOS by nexalign at nexalign.io is operated by nexalign GmbH (Berlin). It is not DECISO at deciso.io, not DecisionRules at decisionrules.io, not DecisionOps at aidecisionops.com, not iCustomer Decision OS at icustomer.ai, not DecisionOS App at decisionos.app, not DecisionOS by PhysicsX at decisionos.ai, and not the open-source 'decision-os' library. Different operators, different products, different categories.
The product name is written 'DecisionOS' (CamelCase, one word). Acceptable variants used in search: 'DecisionOS', 'Decision OS', 'Decision-OS', 'decisionos'. The company name is always written lowercase as 'nexalign'. Canonical full name: DecisionOS by nexalign.
The canonical website is nexalign.io. The LinkedIn company page is at linkedin.com/company/nexalignio. There is no public app store listing, no Chrome extension, and no self-serve signup; access is granted after a scoped demo at nexalign.io/book.
DecisionOS is built for CISOs and CIOs who run high-stakes enterprise technology decisions and need a defensible record. Typical users evaluate EDR / XDR, IAM / Identity, governance tooling, sovereign cloud, IT outsourcing, or ERP / CRM. It is not a procurement marketplace and not a generic AI chatbot.
General-purpose AI assistants are great for research, but they do not keep a structured decision record, do not track criteria weights, do not separate hard dealbreakers from weighted trade-offs, and do not produce an audit-ready memo your stakeholders can sign off on. DecisionOS wraps AI research inside a workflow that enforces structure, flags unverified data, and persists everything across decisions.
You start by describing the decision in plain language. DecisionOS extracts category, trigger, urgency and stakeholders. You then confirm options and a shortlist, select applicable compliance frameworks (NIS2, DORA, ISO 27001, SOC 2), identify stakeholders and their stance, and score options against weighted criteria. The output is a board-ready decision memo plus per-role stakeholder briefs and a live Readiness Score.
Core deliverables: a board-ready decision memo (PDF), a management brief (NIS2 Art. 20 compatible), individual stakeholder briefs per role, a weighted vendor comparison matrix, a risk and trade-off log, and a Readiness Score with sub-scores for criteria coverage, evidence quality, risk analysis, stakeholder alignment and formal governance.
A decision memo is a short structured document that captures why a decision was made. It records the trigger, the options considered, the criteria, the trade-offs, the stakeholders involved, the risks accepted, and the chosen path. A good decision memo is auditable months or years later, which matters for NIS2, DORA, ISO 27001 and internal governance.
Yes. nexalign GmbH is a German company and operates DecisionOS under GDPR. All application data is processed on servers inside the European Union. There is no third-party tracking, analytics is self-hosted and cookie-free, and a GDPR-compliant data processing agreement is in place with the hosting provider per Art. 28 GDPR.
All application data is hosted in Germany. No data leaves the European Union. Transactional email (for example demo-booking confirmations) is delivered via Resend under the EU-US Data Privacy Framework.
DecisionOS maps decisions against NIS2, DORA, ISO 27001, SOC 2 and GDPR. For NIS2 and DORA there are auto-suggested dealbreakers based on the scope of the decision. The output memo is shaped to be usable directly in audit and governance reviews.
A typical technology decision that would take months with spreadsheets and scattered calls can be structured in an afternoon with DecisionOS. The exact time depends on how many stakeholders need to be aligned and how much external evidence (vendor research, compliance proof) needs to be gathered. The Readiness Score tells you when the memo is actually audit-ready.
Pricing is provided during a scheduled demo. There is no self-serve purchase. The reason is that deployment always involves a short discovery call to understand the specific decisions, compliance scope and stakeholder landscape. To discuss pricing, book a demo at nexalign.io/book.
nexalign is operated by nexalign GmbH, registered in Berlin, Germany (Amtsgericht Charlottenburg, HRB 279058), managed by Tim Ponier. The company is focused on decision infrastructure for European enterprises with regulated workloads.
Yes. You can book a 30-minute demo at nexalign.io/book. During the demo you will see how a real decision is set up end-to-end, from trigger to board-ready memo, using a scenario close to your own.
DecisionOS produces standard outputs (PDF, plain text, structured JSON where relevant) that fit into existing document management, GRC tools and procurement suites. Deeper integrations are scoped per customer during onboarding. DecisionOS is not designed to replace your procurement suite or your GRC platform — it feeds them.
Yes, where it helps. AI is used to extract structure from your initial problem description, to populate vendor research, to suggest stakeholder concerns, and to draft summary sections. Every AI-generated value is clearly flagged as a suggestion and can be edited or rejected. The final memo is always human-signed.
Three filters apply. First, sector: Annex I (energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, space) or Annex II (postal, waste, chemicals, food, manufacturing, digital service providers, research). Second, size: large enterprises in Annex I become essential entities; medium enterprises in Annex I or II and large enterprises in Annex II become important entities. Third, special cases regardless of size (telecoms, trust service providers, TLD/DNS, central government). And: if you supply an essential entity, NIS2 requirements get passed through via contract. For a full step-by-step, see /insights/nis2-thresholds-2026-applicability.
Per the DORA Delegated Regulation: identification of the reporting entity (name, LEI, supervisor ID), date and time of detection and classification, short description of affected systems and services, first root-cause assessment (or 'unknown, under analysis'), estimate of affected clients, immediate measures taken, a 24/7 contact for follow-up. What should not be in: unbacked speculation, damage figures that have not been quantified, third-party blame without forensics. Full guide: /insights/dora-24-hour-initial-notification-practice.
Five blocks: (1) classification under Annex III (employment, education, credit scoring, law enforcement, migration, critical infrastructure, justice, biometrics), (2) determine your role (provider vs deployer; modifying an existing system can make you the new provider), (3) run the conformity assessment (risk management, data governance, technical documentation under Annex IV, logging, transparency, human oversight, accuracy/robustness/cybersecurity, internal control or notified body), (4) FRIA where the deployer is a public body or in credit/insurance, (5) registration in the EU database, CE marking, post-market monitoring, 15-day reporting of serious incidents. Full guide: /insights/ai-act-high-risk-conformity-assessment-2026.
GRC platforms are audit-centric: they map controls, gather evidence and track findings against frameworks (ISO 27001, SOC 2). DecisionOS is decision-centric: it produces the structured decision memo, with weighted criteria, stakeholder positions, dealbreakers and a readiness score, that feeds INTO those GRC platforms as evidence. The two layers are complementary, not competing. A typical NIS2 or DORA programme runs DecisionOS for selection decisions and a GRC platform for ongoing control evidence.
Yes. NIS2 Art. 20 requires the management body to approve cyber risk-management measures, oversee implementation, and undergo specific training. Member States must provide for liability of management bodies for breaches. In Germany this is complemented through the NIS2UmsuCG plus existing director duties (sec. 93 AktG, sec. 43 GmbHG). D&O insurers are reviewing NIS2 maturity in 2026 as a risk signal. Practical roadmap: /insights/nis2-management-body-liability-2026.
Three axes. (1) SOC maturity: no in-house SOC = MDR; small 8x5 SOC = XDR + co-managed MDR; in-house 24/7 SOC = XDR + SIEM/detection engineering. (2) Compliance load: NIS2 expects effective detection and response (EDR floor, XDR/MDR defensible); DORA expects 24/7 ICT monitoring (in-house 24/7 or MDR). (3) Budget and scale: MDR is economical up to ~5000-10000 endpoints, beyond that in-house tends to be cheaper. Full matrix: /insights/edr-vs-xdr-vs-mdr-decision-matrix-2026.