Legal
Privacy Policy
Last updated: February 8, 2026
AI-Powered Features and Data Processing
Use of Artificial Intelligence
Norrsent ERM uses artificial intelligence (AI) technologies to enhance risk identification, analysis, and recommendations. Our AI features include:
- Automated risk identification across operational, financial, ESG, and regulatory domains
- Natural language processing for risk assessment and documentation
- Predictive analytics for risk trend analysis and forecasting
- AI-assisted content generation for risk reports and mitigation strategies
Important: All AI-generated suggestions and recommendations are advisory only and do not constitute automated decision-making under GDPR Article 22. Human review and approval are required for all risk management decisions.
Third-Party AI Processors
To provide AI-powered features, we engage the following approved sub-processors:
OpenAI (OpenAI, L.L.C.)
- Purpose: AI-assisted analytics, risk identification, and content generation
- Data Processed: Risk descriptions, organizational context, and anonymized operational data
- Location: United States (with Standard Contractual Clauses for EU data transfers)
- Safeguards: Enterprise API with zero data retention policy, SOC 2 Type II certified
- Privacy Policy: https://openai.com/privacy
All sub-processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance, including appropriate technical and organizational measures to protect your data.
Purpose Limitation
We process your data exclusively for the following purposes:
- Service Delivery: To provide enterprise risk management services as contracted
- AI Enhancement: To generate risk insights, recommendations, and automated workflows
- Platform Improvement: To improve our AI models and platform features (only with anonymized, aggregated data)
- Compliance and Security: To maintain audit trails, security monitoring, and regulatory compliance
- Customer Support: To respond to inquiries and provide technical assistance
We do not use your data for marketing, advertising, or any purpose beyond those explicitly stated in your enterprise agreement without obtaining separate consent.
Data Retention Periods
| Data Type | Retention Period |
|---|---|
| Active risk data | Duration of contract + 90 days |
| Archived risk data | 7 years (for regulatory compliance) |
| Audit logs and security events | 2 years |
| User account data | Duration of contract + 30 days |
| AI training data (anonymized) | Indefinite (fully anonymized, non-personal) |
| Backup copies | 90 days rolling window |
| Marketing contact data | Until consent withdrawn or 3 years of inactivity |
Upon contract termination or deletion request, we will delete or anonymize your personal data within 30 days, except where longer retention is required by law (e.g., financial records, regulatory compliance).
Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data (subject to legal retention requirements)
- Right to Restriction: Limit how we process your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
To exercise these rights, contact us at privacy@norrsent.com or through your enterprise account manager. We will respond within 30 days as required by GDPR.
Enterprise Security
Norrsent ERM is built with enterprise-grade security and compliance in mind. Our platform features AES-256 encryption, comprehensive audit trails, and 99.99% availability backed by AWS infrastructure.
Cookie Usage
We use cookies to enhance your experience and analyze website usage. Below you can see detailed information about all cookies used on our website and manage your preferences.