Regulation
GDPR Article 7 (Lawful basis: consent)
Control
Per-contributor consent paired with automated withdrawal workflow
Evidence
Consent records generated per data subject
TRUST AND DATA SOVEREIGNTY
Norwegian jurisdiction. Reviewable evidence.
YPAI is a Norwegian entity operating European infrastructure. Customer data sits outside US CLOUD Act compulsion by corporate structure, not by contract. SCCs are available for any customer-directed transfer outside the EEA.
- Norwegian AS
- EEA residency by default
- No CLOUD Act exposure
- SCCs available
EVIDENCE PACKAGE
Audit artifacts YPAI delivers per project.
Seven artifacts produced on request, validated by procurement teams across regulated mid-market and enterprise buyers.
-
Per-recording provenance
Documentation of data lineage detailing the origin and chain of custody for individual project recordings.
-
Consent records
Contributor agreements validating specific permissions scoped by individual and intended processing purpose.
-
Demographic metadata
Aggregated distribution reports validating the balance of dialect and regional representations across the dataset.
-
QA artifacts
Validation logs and metric reports detailing the quality assurance gates passed during dataset compilation.
-
Dataset versioning
Immutable cryptographic hashes and change logs tracking modifications across dataset iterations.
-
Sub-processor transparency
A documented register of third-party infrastructure and service providers, available upon formal request.
-
Sampling methodology
Technical documentation defining the statistical approach used to select and stratify data for model training.
REGULATORY MAP
Where YPAI maps to the regulations procurement reviews.
Six regulations, with the YPAI control mechanism and the evidence artifact that proves it. Where YPAI does not hold a certification, the row is omitted, not faked.
Regulation
GDPR Article 12 to 23 (Data subject rights)
Control
Dedicated DSR workflow featuring automated audit trails
Evidence
Exportable DSR audit log
Regulation
GDPR Article 28 (Data processor terms)
Control
Standardized DPA terms embedded in contracts
Evidence
Fully executed DPA artifact
Regulation
EU AI Act Article 10 (Data governance for high-risk AI)
Control
Systemic provenance tracking and bias mitigation documentation
Evidence
Provenance logs and sampling methodology documentation
Regulation
MiFID II (Financial services voice and recording)
Control
Architecture supporting five-year recording archive capabilities
Evidence
System provenance and cryptographic retention metadata
Regulation
HIPAA (Healthcare consent language scope only)
Control
Healthcare-specific consent language modules with BAA chain support
Evidence
Per-contributor signed consent paired with BAA-fit clause documentation
SOVEREIGNTY
Single jurisdiction. By design.
- 01
Norwegian AS (Legal Entity)
- 02
EEA Infrastructure (Data Residency)
- 03
No CLOUD Act (Jurisdictional Perimeter)
YPAI is a Norwegian entity operating European infrastructure. Customer data sits outside US CLOUD Act compulsion by corporate structure, not by contract. SCCs are available for any customer-directed transfer outside the EEA.
- Norwegian AS
- EEA residency by default
- No CLOUD Act exposure
- SCCs available
COMMITMENTS AND CONTROLS
What YPAI signs and what YPAI operates.
YPAI procurement value is anchored in structural EEA jurisdiction and GDPR-native engineering. The contractual commitments and operational controls below are standing artifacts, so security teams can assess architectural fit without commissioning custom documentation.
Contractual commitments
-
GDPR Article 28 DPA
Standardized Data Processing Agreement included with every engagement, ready for countersignature.
-
30-day erasure SLA
Hard deletion guarantees written into the master service agreement.
-
SCCs available
Standard Contractual Clauses for customer-directed transfers outside the EEA.
Operational controls
-
Per-contributor consent records
Immutable cryptographic audit trails for all data inputs.
-
DSR workflow
Automated pipelines for Data Subject Rights requests.
-
GDPR Article 32 security mapping
Engineering parameters mapped directly to GDPR Article 32 security requirements.
-
72-hour breach notification
GDPR Article 33 window, with the audit trail entry timestamped from the moment of awareness.
-
EEA-resident processing
Norwegian AS operating EEA infrastructure by default, with no US CLOUD Act exposure.
-
EU AI Act Article 10 alignment
Proactive mapping to European AI data governance mandates.
-
7-artifact evidence package
Documented proof of data provenance and isolation, available upon formal request.
FREQUENTLY ASKED
What procurement reviewers ask before signing.
In the European Economic Area (EEA) by default. Norwegian and EEA infrastructure providers only. Customer-directed transfers outside the EEA are supported via Standard Contractual Clauses (SCCs).
30 days from a verified erasure request, with audit trail preserved. Hard deletion is written into the master service agreement.
YPAI provides healthcare-specific consent language and data handling. We do not replace the customer BAA chain or covered-entity obligations. We sign a BAA-fit clause where the engagement scope requires it.
Documented and available upon formal request as part of the procurement workflow. Sub-processor transparency is one of the 7 audit artifacts shipped per project.
YPAI ships a standardized DPA covering GDPR Article 28 terms. Customer DPAs are accepted with redlining where the engagement scope makes it operationally feasible.
In line with GDPR Article 33: 72 hours from awareness, with the audit trail entry timestamped from the same moment.
A documented evidence package with every engagement: GDPR Article 28 DPA ready for countersignature, per-contributor consent records, DSR workflow documentation, a 30-day erasure SLA in the master service agreement, SCCs for customer-directed transfers outside the EEA, and EU AI Act Article 10 alignment. The Commitments and Controls panel above lists each artifact.
NEXT STEP
A named YPAI engineer replies within one EU business day with the sovereignty assessment, draft DPA, and the evidence package scoped to your workload.
Request a sovereignty assessment