GDPR Compliance

How KonversAI ensures your business is aligned with data protection regulation

KonversAI is developed with privacy as a core principle («privacy by design»). Mosaiq AS complies with the EU General Data Protection Regulation (GDPR) and applicable privacy legislation throughout all parts of the service. This page explains our concrete measures and how we help you as a customer to meet your GDPR obligations.

1Our GDPR measures

Privacy by design

Privacy is built into the architecture from the start, not added as an afterthought.

Data minimisation

We only collect what is strictly necessary to deliver the service.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

EEA storage

Data is stored primarily in Norway and the EU. Transfers to third countries only with valid safeguards.

Access control

Only authorised personnel with a legitimate need have access to personal data.

Incident response

Procedures to detect, notify and handle personal data breaches within 72 hours.

2Roles and responsibilities

GDPR distinguishes between two key roles:

  • Data controller (you as customer): Determines the purposes and means of processing. You are responsible for ensuring that your use of KonversAI is GDPR-compliant, including that a legal basis for processing exists and that your users are informed.
  • Data processor (Mosaiq AS): Processes personal data on your behalf and in accordance with your instructions. We are bound by the data processing agreement and may not use the data for our own purposes.
All customers processing personal data through KonversAI must enter into a data processing agreement with Mosaiq AS. Contact us at contact@mosaiq.ai to sign the agreement.

3Sub-processors

We use sub-processors to deliver the service. All sub-processors are bound by data processing agreements and process data only in accordance with our instructions.

Current sub-processors include:

  • Cloud services: Microsoft Azure / Amazon AWS (EEA regions)
  • AI processing: Large language model providers with EU SCCs in place
  • Payment processor: Certified PCI-DSS provider

Customers will be notified when new sub-processors are added and have the right to object on legitimate grounds related to data protection.

4Data subject rights

KonversAI is built to help you fulfil data subjects' rights under the GDPR:

  • Access and data portability: Data can be exported in machine-readable format on request.
  • Erasure: Personal data can be deleted within 30 days of request.
  • Rectification: Inaccurate data can be corrected immediately.
  • Objection: Processing can be restricted or stopped on legitimate grounds.

Send requests to exercise rights to contact@mosaiq.ai. We respond within 30 days.

5AI and GDPR

KonversAI processes conversation data on behalf of customers. We take special precautions for AI processing:

  • Personal data is not used to train models in ways that make data available to other customers.
  • Anonymised and aggregated data may be used to improve service performance.
  • Automated decisions with legal or similar effect are not offered without explicit consent and the option of human review.
  • We conduct data protection impact assessments (DPIA) for new AI features with high privacy risk.

Questions about GDPR compliance or would you like to sign a data processing agreement?

Contact us at contact@mosaiq.ai