When organizations evaluate AI agents for business-critical workflows, one question comes up more than any other: "Where does our data go?"
It's the right question. The answer determines whether an AI deployment is viable for European companies — or a compliance risk waiting to surface.
The Problem with Most AI Tools
Most enterprise AI tools are built on top of large language models hosted in the United States. Your data leaves the EU, processes on American infrastructure, and returns as an output. For many use cases this is fine. For workflows that touch customer data, employee information, financial records, or any regulated data, it's a significant problem.
The three most common issues:
Regulatory exposure. GDPR and the Swiss nDSG impose strict requirements on data transfers outside designated jurisdictions. Sending business data to US-hosted AI services without adequate safeguards is, in many cases, non-compliant by default.
Training data risk. Some AI providers use customer interactions to improve their models. Even if this is disclosed in a terms of service that nobody reads, the practical effect is that your proprietary business data could influence a model trained on thousands of other companies' data.
Auditability gaps. When your data is processed by a third-party cloud in another jurisdiction, your ability to audit, trace, and demonstrate compliance is limited. Regulators increasingly expect you to show exactly where data went and what happened to it.
How Nolen Handles Data
Nolen was designed with data sovereignty as a foundational requirement — not an optional compliance add-on.
Swiss Hosting
All Nolen infrastructure runs on servers located in Switzerland. Your data — customer records, business workflows, interaction logs — never leaves Swiss territory during normal operation.
This applies to:
- Incoming data from your systems
- Processing and reasoning by the agent
- Logs and audit trails
- Outputs and actions
No Third-Party Model Training
Your data is never used to train AI models, including Nolen's own models or any third-party systems. When your agent processes a customer interaction, that interaction stays private to your organization.
On-Premise Option
For organizations with the highest data sensitivity requirements, Nolen can be deployed on your own infrastructure — either in your private cloud or your own data center. The agent runs inside your environment. No data leaves at all.
{
"deployment": "on-premise",
"data_jurisdiction": "customer_environment",
"external_calls": "none",
"compliance": ["GDPR", "nDSG", "ISO_27001"]
}What This Means for Compliance
Operating under GDPR (EU) or the Swiss nDSG, your organization needs to demonstrate:
| Requirement | Nolen Approach |
|---|---|
| Data residency | Swiss servers, no cross-border transfer |
| Purpose limitation | Processing only for defined agent tasks |
| Audit trail | Full decision logs, exportable |
| Right to erasure | Data deletion on request, verifiable |
| Processing agreements | DPA available, Swiss law governed |
We provide a Data Processing Agreement (DPA) governed by Swiss law for all enterprise deployments. Your legal team doesn't need to evaluate foreign jurisdiction frameworks.
The Practical Difference
We've worked with companies where data sovereignty made the difference between a deployment being approved or blocked. Once a project clears legal and compliance review, everything moves faster.
If your IT security or legal team will eventually review an AI deployment — and they will — building on compliant infrastructure from day one eliminates one of the most common delays.
In our experience, 'we store everything in Switzerland and never train on your data' resolves about 80% of enterprise security review questions.
Data sovereignty isn't a differentiator we invented. It's a requirement our customers were already asking for. We built for it because the alternative — asking European companies to accept US data processing for business-critical workflows — isn't a real option.
Getting Answers to Your Security Questions
If your organization is evaluating Nolen and you have specific questions about data handling, jurisdiction, or compliance requirements, we're happy to provide detailed technical documentation and connect you with our security team directly.
Every enterprise deployment starts with a technical review. Yours should too.