GDPR-Native, Not GDPR-Compliant
We did not retrofit our operations for GDPR. We were born under it. Norwegian jurisdiction. European servers. No CLOUD Act exposure. No cross-border transfer issues. When your auditor asks where the data went, the answer is: it never left.
Norwegian AS (aksjeselskap). Not subject to US CLOUD Act.
What GDPR Means for Voice Data
Voice is not just audio. Under GDPR Article 9, voice recordings processed for identification constitute biometric data - a special category with stricter protections, higher penalties, and narrower lawful bases.
Article 9: Special Category Data
Voice recordings used for speaker identification or verification are biometric data. Processing requires explicit consent under Article 9(2)(a) - not the general legitimate interest basis available for ordinary personal data. Most speech data providers treat voice as standard data. Regulators do not.
4% of global annual turnover or €20M
Explicit consent (Art. 9(2)(a))
€7.1B+ since 2018 enforcement
Six Data Subject Rights
Every voice contributor retains enforceable rights under Articles 15-22.
- • Right of access (Art. 15)
- • Right to rectification (Art. 16)
- • Right to erasure (Art. 17)
- • Right to data portability (Art. 20)
- • Right to object (Art. 21)
- • Right to withdraw consent (Art. 7(3))
Erasure as an Operation
Right-to-erasure is not a policy. It is an operation. When a contributor withdraws consent, their recordings must be identifiable, locatable, and deletable within 30 days. If your dataset was scraped or crowdsourced without individual-level indexing, erasure is architecturally impossible.
Consent Must Be Explicit, Specific, and Auditable
Under Articles 6 and 7, consent for biometric processing must be freely given, specific to the purpose, informed, and unambiguous. Pre-ticked boxes, bundled consent, or platform terms of service do not meet this standard. Every YPAI contributor signs an individual consent form specifying the exact processing purpose, retention period, and their right to withdraw at any time.
The Frankfurt Fallacy
"Our servers are in Frankfurt" is not a compliance statement. A US-incorporated company running servers in an EU datacenter remains subject to the US CLOUD Act. When a US government agency issues a warrant, the company must comply - regardless of where the data is physically stored.
For AI training data containing voice recordings of EU citizens - biometric data under Article 9 - this creates an irreconcilable conflict with GDPR. The data is simultaneously required to be protected by GDPR and accessible to US authorities under CLOUD Act.
The CLOUD Act (2018) requires US-incorporated companies to produce data stored anywhere in the world when served with a valid warrant. EU Standard Contractual Clauses do not override US law.
Norwegian Entity. Zero US Jurisdiction.
YPAI is a Norwegian aksjeselskap (AS), incorporated and operated under Norwegian law. Norway is an EEA member, meaning GDPR applies directly through the Norwegian Personal Data Act (Personopplysningsloven). We are not subject to the US CLOUD Act, FISA Section 702, or any US surveillance legislation.
Norway (EU/EEA jurisdiction)
Datatilsynet (Norwegian DPA)
Not applicable. Not a US entity.
EEA-internal only. No adequacy decision needed.
Built for GDPR From Day One
Compliance is not a feature we added. It is the architecture itself. Every layer - infrastructure, staffing, subprocessors, consent, and erasure - was designed under EU law.
All EU/EEA. No exceptions.
All voice recordings, metadata, consent records, and derived datasets reside on European infrastructure. No data leaves the EEA at any point in the pipeline - collection, processing, storage, or delivery.
EU/EEA Legal Framework
All operations staff are contracted under EU/EEA employment and data protection frameworks. Data access is restricted to personnel within EU jurisdictions, ensuring no informal exposure through staffing locations outside GDPR's reach.
European-Only Stack
Zero US-headquartered subprocessors. No AWS, no Google Cloud, no Azure. Our infrastructure stack uses European-headquartered providers only, eliminating indirect CLOUD Act exposure through the supply chain.
Individual. Auditable. Revocable.
Every voice contributor provides explicit, purpose-specific consent through an individual consent form - not bundled platform terms. Each consent record includes:
30-Day SLA. Individual-Level.
When a contributor exercises their right to erasure, we identify and remove all their recordings within 30 days. This is possible because our architecture tracks contributions at the individual level - not batch, not aggregate.
US-Based Provider vs YPAI
The distinction is not about effort or intent. It is about legal structure. A US-incorporated provider cannot achieve what a Norwegian entity provides by default.
(even with EU servers)
(Norwegian AS)
Talk to Our Compliance Team
Whether you need a Data Processing Agreement, a compliance assessment for your current speech data pipeline, or GDPR-native data from day one - we can help. Norwegian jurisdiction. European infrastructure. No CLOUD Act ambiguity.