SOVEREIGN AI ETHICS FRAMEWORK

Jurisdiction is the only durable compliance answer

Norway-based, EEA-only infrastructure, no US corporate entity. The CLOUD Act reaches a US-domiciled provider regardless of where data sits; YPAI is structurally outside that reach, so the answer to your first due-diligence question is None, by structure rather than by contract. GDPR Article 28 DPA shipped with every engagement, 30-day erasure SLA, EU AI Act Article 10 documentation per project.

Read the DPA Request a sovereignty assessment

Registered in Norway, EEA operations. DPA shipped with every engagement. Reply within one business day.

JURISDICTION_PROTOCOL READ-ONLY / VERIFIED

ENTITY: Norwegian company
JURISDICTION: Norway (EEA member)
ADDRESS: Markveien 57, 0550 Oslo
INFRASTRUCTURE: EEA-only, self-hosted (no US cloud in path)
SCC_BASELINE: EEA processing default, SCCs on customer-directed transfer
CLOUD_ACT_EXPOSURE: None

EEA-only
No US entity
GDPR Art. 7 + 28 + 48
EU AI Act Art. 9 + 10
30-day erasure
DORA + MiFID II

REGULATORY DEADLINE LANDSCAPE

Three already live. One enforces August 2026.

Internal compliance teams cannot wait for a Schrems III decision to pick a data vendor. MiFID II has applied since 2018, Schrems II since 2020, and DORA since January 2025. The fourth deadline is the one still ahead: from 2 August 2026 the EU AI Act data-governance obligations for high-risk systems are enforceable, and they fall on the provider that trains or places the system on the market (Article 3(3)), not on a downstream deployer. The vendor selected today has to evidence Article-level alignment now.

3 Jan 2018 MiFID II Directive 2014/65/EU + RTS 5+ year voice and recording retention; data vendors enter the chain. IN FORCE
16 Jul 2020 Schrems II CJEU C-311/18 Privacy Shield invalidated; SCCs alone insufficient for US transfers. IN FORCE
17 Jan 2025 DORA Regulation (EU) 2022/2554 Third-party ICT risk artefacts mandatory for financial entities. IN FORCE
2 AUG 2026 EU AI Act, high-risk Regulation (EU) 2024/1689, Art. 6-10 Data-governance documentation enforceable for high-risk AI training data. ENFORCEABLE

CORPORATE STRUCTURE

Three facts that survive a Schrems II audit

A US-domiciled vendor with EU data residency is still subject to CLOUD Act compulsion. Data residency without entity residency is a contractual patch, not a structural answer.

LEGAL ENTITY

Norway, EEA member state

Registered in Norway

Norway is an EEA member through the EEA Agreement, subject to the GDPR but not party to any US compulsion framework that overrides EU law.

OPERATIONS

Markveien 57, 0550 Oslo

Headquarters and EEA-only contributor network

Contributor network resident in EEA jurisdictions. Production data is processed in EEA infrastructure; no third-party US cloud platform sits in the production data path.

CLOUD ACT EXPOSURE

18 U.S.C. 2713

None

0 US corporate entity
0 US subsidiary
0 US-domiciled parent

The CLOUD Act reaches a US-domiciled provider regardless of data location. YPAI is structurally outside that compulsion reach.

Detailed CLOUD Act exposure analysis available under MNDA in the first conversation.

EU AI ACT HIGH-RISK PROVISIONS

What we evidence. What the PROVIDER owns.

Under the EU AI Act, the organisation that trains or places a high-risk AI system on the market is the provider (Article 3(3)), and the provider cannot delegate the Article 9 risk-management system, the Article 43 conformity assessment, Article 48 CE marking, the Article 47 declaration of conformity, Article 72 post-market monitoring, or Article 13 transparency. YPAI is upstream of all of that: we evidence the training-data layer so the provider Article 9 system has artefacts to cite.

YPAI EVIDENCES

Article 10, Data Governance

10(2)(a) Data collection processes (per-project protocol) evidenced
10(2)(b) Data origin and intended use (provenance log) evidenced
10(2)(c) Data preparation and labelling (annotation methodology) evidenced
10(2)(d) Bias and representativeness examination (distribution metadata) evidenced
10(2)(e) Quality and suitability criteria shared scope
10(2)(f) Identification of gaps and shortcomings (known-limitation register) evidenced
10(2)(g) Gap remediation measures shared scope

THE PROVIDER OWNS

Article 9, Risk Management System

Provider obligation (Art 3(3)). YPAI feeds it; YPAI does not own it.

Sampling methodology documentation per project
Demographic and dialect distribution metadata
Known-limitation register for any modality or language gap

Out of scope for YPAI. The provider non-delegable obligations (Art 3(3)).

Conformity assessment of the deployed AI system Art. 43
CE marking Art. 48
EU declaration of conformity Art. 47
Post-market monitoring Art. 72
Transparency to end-users Art. 13

EU AI Act Article 99 administrative fines: up to EUR 35M or 7% of worldwide annual turnover for prohibited-AI violations; up to EUR 15M or 3% for high-risk and other obligations.

FINANCIAL SERVICES VERTICAL

DORA artefacts and MiFID II retention compatibility

Both regulations are in force. Both require named, paper-trail-grade artefacts from third-party data providers, not category statements. MiFID II has demanded 5-plus-year recording retention since 3 January 2018; DORA has demanded third-party ICT risk artefacts since 17 January 2025. The window below is drawn to scale: both in-force ticks sit left of today, and the MiFID II retention span is measured against the years axis, not asserted in a sentence.

MiFID II

Directive 2014/65/EU, Article 16 + RTS

Applies since 3 January 2018

01 5+ year recording retention with provenance documentation
02 Immutable dataset versioning to support audit-period queries
03 Speaker-consent and business-purpose binding on every recording
04 Cryptographic chain-of-custody from capture through delivery
05 Customer-side retrieval API for in-period and historical recordings

DORA

Regulation (EU) 2022/2554, Article 28

Applies since 17 January 2025

01 Exit strategy clause and orderly-exit data return procedure
02 Audit rights language including on-site access and SOC review
03 Sub-processor inventory with notification of material changes
04 ICT incident reporting timeline aligned to DORA Article 19
05 Concentration-risk transparency on YPAI infrastructure

Draft templates today; production-ready set before the Q4 2026 procurement cycle.

DATA LIFECYCLE AND AUDIT ARTEFACTS

Every project produces the same evidence pack

From consent capture through erasure, each lifecycle stage emits one named artefact. Six stages, six documents, the same pack on every engagement: your internal audit receives a paper trail, not a vendor questionnaire. The source data terminates at erasure within a 30-day SLA from a verified data-subject request under GDPR Article 17; the evidence of how it was handled is retained for the audit period.

Consent capture

Per-contribution consent record with purpose-binding hash

Collection

Per-recording provenance log (device, jurisdiction, pseudonym)

Annotation

QA log and inter-annotator agreement metric per task type

Delivery

Immutable dataset version hash and sub-processor disclosure

Retention

Distribution metadata and sampling methodology

Erasure

Cryptographic destruction event log and erasure certificate

30days

GDPR Article 17 erasure SLA

From a verified data-subject request to the destruction event.

Immutable provenance

Hash-anchored version log retained for the audit period.

Erasure certificate

Issued with each erasure event under the engagement DPA terms.

FAIRNESS REVIEW

Three protections operational. One dated, not claimed.

Marketplaces accept platform terms-of-service in bulk. The YPAI contributor relationship is documented per contributor: onboarded under a documented agreement before paid work, consent recorded per contribution and bound to your stated purpose, paid monthly in five settlement currencies. The grievance channel runs through customer-success today; the dedicated contributor route is operational Q3 2026. We list what is still being formalised rather than imply it already exists.

40,000+ contributors across 50+ countries.

Documented onboarding

Each contributor is onboarded under a documented agreement before paid work, not bulk marketplace terms. Onboarding terms shared on the first call.

Per-contributor agreement

Per-task consent and scope binding

Consent is recorded per contribution and bound to your stated purpose. Not a one-time platform-ToS click.

Compensation

Monthly international settlement.

USD / EUR / NOK / BRL / SEK

Grievance channel

Customer-success escalation today; dedicated contributor route operational Q3 2026.

Being formalised before EU AI Act high-risk obligations take effect

target 2026-08-02

01 Pay-rate floor policy, per language and per task type PENDING / 2026-08-02
02 Working-hours cap and mandatory-rest windows on long-running tasks PENDING / 2026-08-02
03 Mental-health support and rotation policy for content-moderation tasks PENDING / 2026-08-02
04 Anti-harassment policy and grievance escalation log PENDING / 2026-08-02

INDEPENDENCE AND OBJECTIONS

The vendor-independence policy procurement asks for

Since the June 2025 restructuring of a major US data vendor, internal procurement has been asking suppliers for an explicit, written independence policy. This is ours, with the six objections that follow it most often, answered in full.

01 EQUITY No equity from foundation-model builders or hyperscaler cloud platforms.
02 DATA No data sharing with third parties beyond the named sub-processor inventory disclosed in the engagement DPA.
03 CONFLICT OF INTEREST An explicit conflict-of-interest clause in customer agreements, including written notice if YPAI begins work with a direct competitor of the customer in the same modality and market.

Q1 Are these strong claims on a webpage, or can you show the DPA, audit logs, consent records, and erasure certificates?

The DPA is shipped with every engagement, not on request. Consent record schema, provenance log schema, and erasure certificate sample are available under MNDA in the first conversation. Detailed CLOUD Act exposure analysis is available on the same MNDA terms.

answer basis: structural fact

Q2 Zero CLOUD Act exposure sounds absolute. What about a US-citizen employee abroad?

The CLOUD Act reaches a US-domiciled provider. YPAI is a Norwegian Aksjeselskap with no US corporate entity, no US subsidiary, and no US-domiciled parent. Individual employee citizenship does not change entity domicile. Edge cases involving customer-directed transfers outside the EEA are governed by SCCs in the engagement DPA.

18 U.S.C. 2713

answer basis: structural fact

Q3 You are Norwegian. Can you handle 150+ language coverage and our volume?

Our EEA-resident contributor network spans 50+ countries and supports 150+ languages including all Nordic languages. Scale is driven by the contributor network, not by entity HQ jurisdiction.

answer basis: structural fact

Q4 Our MLOps pipeline runs on managed cloud APIs. How disruptive is self-hosted infrastructure?

YPAI self-hosted infrastructure applies to the data-production layer. Delivery to the customer MLOps pipeline uses standard transfer mechanisms (object storage, signed-URL pickup, API) under the engagement terms. The data-residency property is preserved through delivery.

answer basis: in-scope mechanism

Q5 EU AI Act is new. How do we know your framework will hold up?

Where the customer trains or places a high-risk AI system, the customer is the provider under EU AI Act Article 3(3), and Article 9 risk management, conformity assessment (Art. 43), CE marking (Art. 48), the declaration of conformity (Art. 47), and post-market monitoring (Art. 72) are provider obligations. YPAI evidences the training-data layer (Article 10 data governance) so the provider risk-management system has artefacts to cite. Where guidance is still developing (delegated and implementing acts under Articles 96 and 97), YPAI artefacts are scoped to the provider obligations and updated as guidance is published.

EU AI Act Art. 3(3)

answer basis: developing guidance

Q6 Compliance is your headline. Is annotation accuracy and inter-annotator agreement at a quality-first vendor level?

Compliance is one of three quality dimensions YPAI reports per project: inter-annotator agreement per task type, accuracy against ground truth per language and modality, and compliance (the artefacts in this framework). Per-project benchmarks are shipped with delivery, not self-reported aggregates.

answer basis: in-scope mechanism

3 POLICIES / 6 OBJECTIONS / 0 OPEN

DPA REQUEST

Bring the framework to your dataset

Read the Article 28 DPA as written, scope a sovereignty assessment against your engagement, or take the framework into a dataset conversation. The DPA ships with every engagement, not on request.

Read the DPA GDPR Article 28 processor agreement, shipped as written

As the high-risk AI provider you assemble the conformity file under EU AI Act Articles 43, 47, and 48. YPAI supplies the Article 10 training-data evidence that file has to cite.

Norwegian Aksjeselskap, Bronnoysundregistrene 928 805 735. EEA-only operations. Reply within one EU business day.

COMPLIANCE_INTAKE EEA-only, one EU business day

Name *

Work email *

Company / Organization *

Role

Timeline

Regulatory context

Project brief *

Other modality

I have read the Privacy Policy and consent to YPAI processing my data to provide a technical assessment.

Modalities in scope (optional)

Jurisdiction is the only durable compliance answer

Bring the framework to your dataset

Brief received.