← Alla insights
AI Consulting

Where does your data actually go?

Before you ask what an AI tool can do, ask where your data lands. The second question decides whether you're even allowed to use it. Here's the part the sales call skips.

5 min läsning

Every AI sales conversation is about capability: what the tool can do, how fast, how impressive the output. Almost none of them start with the question that actually decides whether you can use it at all.

Where does your data go when you press send?

For a Nordic or EU business, that’s not a paranoid afterthought. It’s often the constraint that should have shaped the decision from the start.

The question nobody asks in the demo

When you paste a customer record, a contract, or an internal document into an AI tool, that text leaves your building. It travels to a server — somewhere — gets processed, and sometimes gets logged or retained. “Somewhere” is doing a lot of work in that sentence, and the demo never tells you where.

The vendor is incentivised to talk about what the model can do. You’re the only one in the room incentivised to ask what happens to the data afterwards. So you have to ask.

EU vs US: it’s not paranoia, it’s the law

If you handle personal data of EU residents, GDPR doesn’t care how good the model is. It cares where the data is processed, who can access it, and on what legal basis it leaves the EU. A brilliant tool that routes everything through a US region with vague retention terms can be a compliance problem you’ve signed yourself into without noticing.

This isn’t about distrusting US providers — many offer EU data residency and proper data-processing agreements. It’s about knowing which configuration you’re actually on, because the default is rarely the compliant one.

What “EU region” actually means

“Hosted in the EU” can mean several different things, and they’re not equal:

  • EU data residency — your data is stored and processed in EU data centres. Good, but check whether support staff or sub-processors outside the EU can still access it.
  • A signed DPA — the vendor contractually acts as your data processor, with defined retention and deletion. This is the piece that makes the legal basis real.
  • No training on your data — confirm in writing that your inputs aren’t used to train the provider’s models. For business data, this matters as much as residency.

If a vendor can’t answer all three clearly, that’s the answer.

A checklist before you sign up for any AI tool

Before the capability conversation, get four things in writing: where the data is processed, who can access it, how long it’s retained, and whether it’s used for training. Four questions. If the tool clears them, then talk about what it can do.

This is the unglamorous half of an AI decision, and it’s the half that keeps you out of trouble. If you want a partner who treats it as the first question rather than the last, that’s how we scope every engagement.

Läste något som väckte fler frågor?

Bra. Det är oftast där det intressanta arbetet börjar. Kostnadsfritt 30-minuterssamtal — ingen pitch, bara ett samtal.

Boka ett samtal →