TRUST AND DATA HANDLING

How we handle data and providers

Sub-processors, data residency, DPAs, and the technical differences between Own and Lease. Written for technical and compliance leads.

Data residency

European clients, European servers. By default, client projects run in Amsterdam (Railway) and Frankfurt (Neon Tech on AWS eu-central-1). GCP and Microsoft are configured per project with European regions as the first choice.

This is a deliberate choice, not an accidental result. We minimize the amount of personal data processed and keep data within the EU/EEA wherever possible.

Sub-processors and DPAs

These providers may process data in client projects. Which ones are active depends on the solution.

Provider	Usage	Default region	DPA status	Links
Anthropic	Claude API for client products, Claude Team for internal development and operations. Per Anthropic's ToS, data is not used to train the models in either case.	EU/US per setup	Integrated in Anthropic's ToS. For Own projects, the client contracts directly with Anthropic.	DPA
OpenAI	Used only in the AI Pitch Analyzer (Whisper transcription). Anthropic is the primary choice elsewhere, but offers no voice model.	EU when possible	Signed Nordic AI DPA	DPA (PDF) Signed copy
Railway	Hosting and PaaS for client projects.	Amsterdam (EU-West) by default	Signed Nordic AI DPA	Signed copy
Neon Tech	Postgres and pgvector for vector databases and application data.	Frankfurt (AWS eu-central-1)	Regulated under Databricks DPA, ref Neon §3.4	Databricks DPA Neon §3.4
Google Cloud Platform	Project- and client-dependent. Active only when chosen for the solution.	Configurable, European regions as first choice	Per client setup	GCP DPA
Microsoft (M365 / SharePoint / Azure)	Project- and client-dependent. Common when integrating with existing client setups.	Configurable, European regions as first choice	Per client setup	Microsoft DPA

Anthropic

Usage: Claude API for client products, Claude Team for internal development and operations. Per Anthropic's ToS, data is not used to train the models in either case.
Default region: EU/US per setup
DPA status: Integrated in Anthropic's ToS. For Own projects, the client contracts directly with Anthropic.
Links: DPA

OpenAI

Usage: Used only in the AI Pitch Analyzer (Whisper transcription). Anthropic is the primary choice elsewhere, but offers no voice model.
Default region: EU when possible
DPA status: Signed Nordic AI DPA
Links: DPA (PDF)
Signed copy

Railway

Usage: Hosting and PaaS for client projects.
Default region: Amsterdam (EU-West) by default
DPA status: Signed Nordic AI DPA
Links: Signed copy

Neon Tech

Usage: Postgres and pgvector for vector databases and application data.
Default region: Frankfurt (AWS eu-central-1)
DPA status: Regulated under Databricks DPA, ref Neon §3.4
Links: Databricks DPA
Neon §3.4

Google Cloud Platform

Usage: Project- and client-dependent. Active only when chosen for the solution.
Default region: Configurable, European regions as first choice
DPA status: Per client setup
Links: GCP DPA

Microsoft (M365 / SharePoint / Azure)

Usage: Project- and client-dependent. Common when integrating with existing client setups.
Default region: Configurable, European regions as first choice
DPA status: Per client setup
Links: Microsoft DPA

We hold signed versions of several DPAs. They are made available on request via email.

Own vs Lease: technical differences

The two models build on the same components, but ownership, operation, and DPA relationships differ fundamentally.

Dimension	Own	Lease
Infrastructure ownership	Client	Nordic AI
Tenant model	Single-tenant in client environment	Per-vertical, isolated per client
DPAs with third parties	Client signs directly (Nordic AI guides)	Nordic AI is the primary contract, client is sub-processor
Upgrades	Client timing	Nordic AI rolls them out
Customization	Full	Within the vertical framework
Data location	Client choice	EU by default, can be tailored

Infrastructure ownership

Own

Client

Lease

Nordic AI

Tenant model

Own

Single-tenant in client environment

Lease

Per-vertical, isolated per client

DPAs with third parties

Own

Client signs directly (Nordic AI guides)

Lease

Nordic AI is the primary contract, client is sub-processor

Upgrades

Own

Client timing

Lease

Nordic AI rolls them out

Customization

Own

Full

Lease

Within the vertical framework

Data location

Own

Client choice

Lease

EU by default, can be tailored

Heightened security requirements

Our standard setup meets the bar for most projects. For especially sensitive personal or business data, we offer two escalation tiers that adapt the Own delivery.

Anthropic via the client's own cloud tenant

Anthropic is available as a managed service on AWS Bedrock, Google Vertex AI, and Azure. We route model calls through the client's own tenant, selected to match the existing tech stack, so processing and audit trails stay inside the client's perimeter.

Local on-prem models

For exceptionally high requirements, or explicit on-prem requests, we deploy local open models in the client's infrastructure. This is a premium delivery on the Own model, priced as an extended Own project.

DPA strategy for Own projects

In Own projects, Nordic AI helps the client set up direct data processing agreements with relevant third parties. We deliver an overview of which providers will process personal data in the client's setup, point to the right DPA template, and coordinate with the client's legal resource.

The legal work itself, evaluation and signing, is done by the client's own counsel. We are technical coordinator, not legal advisor.

We typically help set up DPAs with:

Anthropic (Claude API)
Railway (hosting)
Neon Tech (database)
Google Cloud Platform
Microsoft (Azure, M365, SharePoint)
Other providers relevant to the project

We are not lawyers and do not provide legal advice. The client's own legal resource evaluates and signs the agreements.

SLA: Own vs Lease

The SLA frames are clearly different. Concrete numbers are set in contract by scope.

Own

The client's own infrastructure has its own uptime. Railway, GCP, Microsoft and others publish their own SLAs. On top of that, Nordic AI delivers a support SLA with response time and incident handling, set by scope.

Lease

Nordic AI provides a single combined SLA covering platform uptime and support response time. Concrete numbers will be published when the lease model launches in Q2 2026.

Security measures

Measures are tailored to the project's risk level and the client's requirements, but the fundamentals are consistent.

Role-based access control on all systems
Data encryption at rest and in transit
Logging and monitoring of data access
Secure software development practices
Partnerships with ISO-certified cloud and infrastructure providers
Strict data minimization: we collect only what is necessary

Questions about technical setup or compliance?

We answer technical and compliance questions in detail, including questions about signed DPAs, data location, and provider setup.

Send us an email