Your data stays in the EU
RiskNote stores all data in Stockholm on ISO 27001-certified infrastructure (Elastx). GDPR-compliant from day one. No PII sent to AI providers.
Data sovereignty isn't a marketing term
For Swedish municipalities, public sector organisations, and EU-regulated companies, data sovereignty is a requirement, not a nice-to-have. Using a tool that stores data in the US means the CLOUD Act can be used to compel access — regardless of what the vendor promises in their privacy policy.
RiskNote chose an EU-based host from the start (Elastx in Stockholm) on ISO 27001-certified infrastructure. The application, database, and logs all live inside the EU. The only external data path is AI calls, and we send only what's necessary for the analysis — never PII.
How your data is protected
Datacentre in Stockholm
Elastx is a Swedish hosting provider with datacentres in Stockholm. Physical security, redundant power, and ISO 27001 certification. No data replicated to the US or other non-EU countries.
GDPR Art. 13 in the Privacy Policy
Our privacy policy follows the Art. 13 structure: what data we collect, legal basis, retention, recipients, your rights. Short, direct, no lawyer-speak.
Data minimisation to AI
When we call Anthropic we send only: the risk note's name, description, areas, and your organisation context (industry, size, goals). Never email, user names, or data from other customers.
14-day withdrawal right
The EU Consumer Rights Directive grants a 14-day withdrawal right on distance contracts. RiskNote builds it in-app — one button on the account page, automatic Stripe refund, no email friction.
Data export and deletion
You can export all your data as JSON or PDF. Deletion permanently removes it and isn't shadow-archived — GDPR ”right to be forgotten” without asterisks.
From sign-up to deletion
1. Sign-up stores the minimum
Email, name, hashed password (bcrypt). No tracking cookie, no third-party analytics without your consent.
2. Data stored in the EU
Database runs at Elastx in Stockholm. Backups replicated within the EU. No data leaves the EU except for AI inference (see Art. 13 for details).
3. Request export or deletion any time
Account page → Export data or Delete account. Export generates immediately as a ZIP. Deletion completes within 30 days.
Same protection on every plan
GDPR protections don't differ between Starter, Pro, and Business. Data sovereignty is a product property, not a paywall feature.
Data and GDPR FAQ
Where exactly is my data stored?
Stockholm, Sweden, at Elastx (ISO 27001-certified). Backups within the EU. No data replicated to the US. The Anthropic AI call runs in the US, but no PII is sent — only risk analysis metadata and organisation context.
Is RiskNote itself ISO 27001-certified?
The infrastructure (Elastx) is ISO 27001-certified. RiskNote as an organisation operates by ISO 27001 principles but isn't certified yet — the system is still young. For enterprise customers that require their own certification, get in touch.
Is there a DPA (data processing agreement)?
Yes. The DPA is concluded automatically on sign-up per GDPR Art. 28. A separate DPA copy can be requested from privacy@risknote.io.
Data you can defend
EU-hosted, GDPR-compliant, ISO 27001 infrastructure. Try free for 7 days.