What people ask us

Are you compliant with GDPR?

Yes.

GDPR applies for AI solutions developed and applied in the EU and EFTA (combined referred to as EEA) where personal information is being used - also when this is publicly available. Compliance in the context of AI here means two things:

1) Where personal information is used, the organization must have a lawful basis for its collection and processing, for instance through consent of the user, contractual necessity or legitimate interests. This means the AI solution must be built with the relevant lawful basis in mind if it is to use personal data, otherwise the data has to be anonymized before it's processed.

2) The data must be stored either in the EEA or in a country that the European Commission determines to have a "comparable level of protection of personal data" to the EU. Many AI solutions builds directly on publicly available LLMs like those of American companies like OpenAI and Anthropic, where the cloud storage location data usually is usually stored on US servers. OpenAI has an official Data Processing Addendum (DPA) publicly available (same with Anthropic), ensuring GDPR compliance even when the data is processed on US servers. Based on the use case, however, it may be necessary with assessments whether the intended usage of the data is adequately addressed in the DPA.

While not strictly required for GDPR, where extra security is needed beyond GDPR compliance, using Azure for the AI development allows flexibility for which server locations to use. Although a more expensive option, this enables us to choose servers either in the EU, EEA, US, or elsewhere, if needed for the use case and business requirements.

Our planning and preparation process for developing AI solutions involves a careful consideration of which information will be processed with the AI solution. This means taking clear measures to ensure GDPR compliance in the cases where personal information will be used.

Are you ISO 27001 certified?

No.

We follow the recommendations of the Norwegian Digitalization Directorate (DigDir). While an ISO 27001 certification has its benefits, DigDir notes that this is a costly process and not the only alternative for working systematically with governance and control of information security.

We have accordingly made a decision not to prioritize an ISO 27001 certification at this stage of our business. Instead our focus is to build on DigDir's "Internal Control in Practice - Information Security" and "Holistic Governance and Control of Information Security" to form our approach to ensure strong internal controls and information security.

We take security concerns by our clients and stakeholders seriously, and take the precautions required for security based on the business requirement in each project and solution. In cases where clients require ISO 27001 for their suppliers for certain projects, we can facilitate contact with our relevant partners who have these certifications.

Are you compliant with EU AI Act?

Yes, we comply with the EU AI Act.

We have developed internal guidelines to meet today's requirements and prepare for future regulations. In our blog post, you can read both our official company guidelines and a brief explanation of how we combine safety with innovation in relation to the EU AI Act: Our Guidelines for the EU AI Act: Safety and Innovation in Practice.