Security and data protection at Vyrdis

Vyrdis is a European, GDPR-first tool for turning scattered customer feedback into evidence-backed product decisions you can defend. Research data is stored and analysed entirely within the EU — hosted in Germany, analysed in France — and is never transferred to a third country. Vyrdis is made in Norway, with only European subprocessors, which puts it outside US extraterritorial data laws such as the CLOUD Act.

Where your data lives

Where is the data hosted?
Hetzner, Nuremberg, Germany (EU) — with daily backups.
Where is it analysed?
Mistral, France (EU). Your customers' feedback is not used to train anyone's models.
Does research data leave the EU?
No third-country transfer of research data.
How is one customer's data kept from another's?
Database-level tenant isolation (Postgres row-level security).
What contract governs it?
A data processing agreement built on the Norwegian state standard template.
Can you take your data out, or delete it?
Self-serve export and deletion — your data is yours to keep or take.

What "GDPR-first" means here — concretely, not as a badge

  • Data residency you can name. Not "EU-friendly" — research data sits in Germany and is analysed in France, full stop.
  • A real DPA, not a checkbox. Vyrdis's data processing agreement follows the standard the Norwegian public sector uses, so procurement teams recognise it.
  • Export and deletion are buttons, not email requests. You can pull your data out or erase it yourself, whenever you want.
  • Isolation at the database, not just the app. Every customer's data is separated by Postgres row-level security, so one organisation can never read another's.

EU-hosted vs a typical US-headquartered tool

  • Research data is processed in the EU (Germany and France) — not merely "EU-hosted" by a US-governed vendor.
  • As a European-owned company, Vyrdis is not subject to US extraterritorial data laws such as the CLOUD Act, which can compel US vendors even when data sits in the EU.
  • The data processing agreement follows a recognised European (Norwegian state) standard.

This contrast is about company structure and data law, not any single named product.

What Vyrdis does with the feedback

Keeping data in Europe is the floor, not the point. Vyrdis does the heavy analytical lifting and leaves you the judgement: it extracts claims from raw feedback, links them to hypotheses, and scores how strongly the evidence supports each one — from −10 to +10. Every conclusion traces back to the original quote, so you can show your work when someone asks why.

See how it works →

For security and procurement teams

Everything a review needs, in one place:

  • Data Processing Agreement — Built on the Norwegian state standard; agreed by reference when you accept the terms, with a signed copy available on request.
  • Sub-processors — The full, current list of subprocessors and their locations.
  • Privacy — What is processed, on what basis, and for how long.
  • Data export and deletion are both self-serve, available at any time.

Need something specific for a security questionnaire? Reach out and Vyrdis will get you the document.

Frequently asked questions

Is Vyrdis GDPR compliant?
Yes. Vyrdis is a European company, research data is stored and analysed entirely within the EU, each customer's data is isolated at the database level, and a data processing agreement built on the Norwegian state standard applies to every customer. Export and deletion are self-serve.
Where is my data stored?
Research data is hosted with Hetzner in Germany and analysed with Mistral in France — both within the EU, with daily backups.
Does my research data leave the EU?
No. There is no third-country transfer of research data. Transactional email is handled by an EU-hosted provider whose own operational subprocessors may process limited metadata outside the EU under standard EU safeguards — this does not involve your research data.
Is Vyrdis subject to the US CLOUD Act?
No. Vyrdis is made in Norway (EEA), with only European subprocessors, so it is not subject to US extraterritorial data laws such as the CLOUD Act.
Is my customers' feedback used to train AI models?
No. The AI analysis runs on Mistral's business terms, where your data is not used to train their models.
Can I export or delete my data?
Yes — both are self-serve. You can export your data or delete everything yourself, at any time.