Hopp til hovedinnhold
Echo Algori Data
Compliance & Security

GDPR Compliant

v2.0

Last updated: December 8, 2025

Echo Algori Data is built to be GDPR compliant – both for our own data and when handling data on behalf of clients.

As a Norwegian company (org.no. 928 592 405), we comply with the Norwegian Personal Data Act and the EU General Data Protection Regulation (GDPR), while delivering solutions to customers worldwide.

GDPR (EU) 2016/679Norwegian Personal Data ActEU AI Act 2024/1689E-Com Act 2025

This page provides a practical overview of how we work with GDPR. For full details, see also:

1. Our Role: Data Controller and Data Processor

We can have two different roles:

1. Data Controller

– when we process personal data for our own purposes, e.g.:

  • Website, analytics, forms and customer communication
  • Email, meetings and project administration
  • Recruitment and internal operations

This is described in our Privacy Policy.

2. Data Processor

– when we process personal data on behalf of our customers, e.g.:

  • Integrations between customer systems
  • Agentic AI solutions working on customer internal data
  • Automated workflows (n8n/Make, API, dashboards, etc.)

In these cases:

  • The customer is the data controller.
  • We are the data processor and follow a Data Processing Agreement (DPA) describing purpose, security, and subcontractors.

2. Data Processing Agreement (DPA)

When we process personal data on your behalf, we offer a structured DPA covering:

  • Purpose of processing
  • Types of personal data and categories of data subjects (customers, users, employees, etc.)
  • Our obligations as data processor
  • Security measures (technical and organizational)
  • Rules for use of subcontractors (sub-processors)
  • Retention period and deletion/anonymization after assignment ends
  • Handling of deviations and personal data breaches
  • Mechanisms for international transfers (EU standard clauses, etc.)

How to get DPA?

Contact us at privacy@echoalgoridata.no, and we will send you our updated standard agreement, or customize a DPA for your project.

3. Subcontractors (Sub-processors)

To deliver modern AI and automation solutions, we use the following subcontractors:

ProviderPurposeLocationTransfer Mechanism
Infrastructure & Hosting
Vercel Inc.Hosting, CDN, serverless functionsUSASCC + DPF
Supabase Inc.Database, authentication, storageUSA (EU region)SCC + EU hosting
AI Service Providers
Anthropic PBC (Claude)Text generation, AI agents, analysisUSASCC
OpenAI LLC (GPT)Text generation, embeddingsUSASCC + DPF
Google LLC (Gemini)AI models, search, analysisUSA/EUSCC + DPF
DeepSeekAI models (by agreement)ChinaSCC + TIA
Communication
Mailtrap (Railsware)Transactional emailsEU (Ukraine)SCC
Monitoring & Analytics
Sentry (Functional Software)Error monitoring, performanceUSASCC + DPF
Vercel AnalyticsAnonymous web analyticsUSAAnonymized

Legend:

SCC = Standard Contractual ClausesDPF = EU-U.S. Data Privacy FrameworkTIA = Transfer Impact Assessment

When we act as data processor:

  • All subcontractors processing personal data are considered sub-processors.
  • We enter into separate data processing agreements (or equivalent) with these.
  • We have internal procedures for selection, evaluation, and monitoring of subcontractors.
  • This list is updated for significant changes. Last update: December 8, 2025.

If we make significant changes to which subcontractors are used for your solution, this will be handled in accordance with agreed procedures (e.g., 30 days notice and opportunity to object).

4. International Transfers (EU/EEA and Third Countries)

Echo Algori Data is a Norwegian company, but our customers and some technology partners are global (incl. Europe, USA, and other regions). When personal data is transferred outside the EU/EEA:

  • We follow the rules in GDPR Chapter V on transfers to third countries.
  • Where there is no "adequacy decision", we typically use the EU Commission's Standard Contractual Clauses (SCC) combined with relevant technical and organizational measures.
  • We continuously assess risks and necessity of such transfers, especially regarding AI services and cloud providers.

If you have special requirements (e.g., strict data residency requirements or preference for EU/EEA-only storage), we can normally:

  • Design a solution that keeps data in the EU/EEA as much as possible, or
  • Consider a combination of local and international providers, clarified in the agreement.

6. Information Security and Privacy by Design

We practice "privacy by design" and "privacy by default" as much as possible:

  • Data minimization (only what is necessary for the purpose)
  • Access control and "least privilege" – only those who need access get it
  • Logging and monitoring of critical systems
  • Encryption where appropriate (at rest and/or in transit)
  • Updated procedures for patching, backup, and incident handling
  • Internal training and awareness on security and privacy

In case of a personal data breach:

  • We have procedures to detect, contain, and document the incident.
  • We will, when required, notify both customer/controller and relevant supervisory authorities, and assist with investigation and remediation.

7. AI Solutions, EU AI Act, and Responsible Use

Since we work extensively with generative AI, agentic systems, and automation, we have our own principles for responsible use that align with the new EU Artificial Intelligence Act (EU AI Act).

EUEU AI Act Compliance (Regulation 2024/1689)

The EU AI Act entered into force on August 1, 2024 with phased implementation through 2027. We are actively preparing for full compliance:

Done

Feb 2025: Prohibited AI practices

We do not use any prohibited AI systems (social scoring, manipulation, biometric mass surveillance).

In progress

Aug 2025: GPAI models

We document all general-purpose AI models (Claude, GPT, Gemini) and their use in our solutions.

Planned

Aug 2026: High-risk AI systems

For projects in health, finance, HR, or critical infrastructure, we implement risk assessment and documentation per Annex III.

AI Risk Classification

We classify all AI solutions according to EU AI Act risk levels:

Minimal risk

Chatbots, content

Limited risk

Transparency

High risk

Special requirements

Unacceptable

Prohibited

Our principles for responsible AI use:

1. Clear Roles and Data Flow

  • We map which systems and types of personal data are part of the solution.
  • We clearly distinguish between test data, synthetic data, and real production data.

2. Data Minimization and Anonymization Where Possible

If the solution can work satisfactorily with anonymized or pseudonymized data, we prioritize that.

3. Transparency and Disclosure

We recommend that you as a customer are open with your own users/employees about how AI is used, what data is processed, and why. In line with EU AI Act Art. 50, users should be informed when interacting with AI systems.

4. Human Control (Human-in-the-Loop)

  • AI components should normally be seen as support, not as the sole decision-maker in critical processes (GDPR Art. 22).
  • We always recommend procedures for human review, quality assurance, and the ability to override automated suggestions.

5. Adapted Risk Level

  • Health, finance, children, vulnerable groups, or highly sensitive data require extra assessment and stricter frameworks per EU AI Act Annex III.
  • We can assist with risk and maturity assessments for such environments.

8. Rights of Data Subjects

Your rights as a data subject (access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent) are described in more detail in our Privacy Policy.

In short, you can:

  • Request access to what personal data we have about you
  • Ask us to rectify or delete data within legal limits
  • Object to certain types of processing
  • Withdraw consent where it is the legal basis

Contact: privacy@echoalgoridata.no

If you believe we are not processing personal data in accordance with regulations, you can complain to the Norwegian Data Protection Authority or the relevant supervisory authority in your home country. However, we appreciate if you contact us first so we can try to resolve the matter amicably.

9. Customers Outside EU/EEA (incl. USA)

For customers outside EU/EEA – including collaboration with ALG Dynamics (USA) and other partners – it is important to know:

  • We apply GDPR-level standards as default, even when working with international customers.
  • Where local legislation requires additional measures, we can adapt agreements and technical solutions.
  • We can help design architecture that fits both GDPR and relevant local requirements (e.g., storage requirements in specific regions, internal policies, industry standards).

10. Updates and Questions

We continuously improve both technology and procedures – and this page will be updated as needed. Date of last update is at the top.

Questions about GDPR and privacy?

Email (privacy): privacy@echoalgoridata.no

Email (general): info@echoalgoridata.no

11. Version History

v2.0 - 8. December 2025

  • Added detailed sub-processor list with all providers
  • Added EU AI Act 2024/1689 compliance details
  • Updated AI section with risk classification
  • Added Norwegian E-Com Act 2025 reference
  • Added transfer mechanisms (SCC, DPF, TIA)

v1.0 - 1. January 2025

  • Initial GDPR compliance page
  • Basic roles and responsibilities
  • DPA information and security measures

Privacy | Terms | GDPR Compliant