Skip to content
English
Contact us
Consultancy annex

Security, AI Governance & NIS2 Compliance

Effective Date: January 28, 2026
Applicability: This Annex applies to all AI-enabled software automation and consulting services provided by Egoiste (the "Consultant") to business clients (the "Client").

1. Compliance Framework

The Consultant operates in full alignment with the Swedish Cybersecurity Act (2025:1506), transposing the EU NIS2 Directive. As a Tier 1 digital service provider, the Consultant implements appropriate and proportionate technical and organizational measures to ensure the resilience of all provided automations.

2. Data Residency & Sovereignty

To mitigate risks associated with international data transfers and the US CLOUD Act, the Consultant adheres to strict data residency protocols:

  • Google Workspace Governance: All primary data at rest and processing are locked to the European Union (EU) region.
  • Managed Local Hosting: For time-critical or sensitive industrial data, the Consultant utilizes localized Swedish data centers (e.g., in Kramfors) to ensure 100% Swedish data sovereignty.
  • Third-Party Tools: Business-critical CRM data (HubSpot) is processed under a NIS2-compliant Data Processing Addendum (DPA) with verified EU/EEA storage.

3. AI "Security by Design" & Auditability

All AI-enabled automations are developed with security and transparency as core requirements:

  • Audit Trails: Every automated decision made by an AI agent is logged with tamper-proof "Object Lock" settings to support legal auditing and forensic analysis.
  • Software Bill of Materials (SBOM): Upon request, the Consultant provides a full inventory of all software libraries and AI models used to facilitate the Client's mandatory vulnerability assessments.
  • Security Controls: Systems include native protections against prompt injection, model poisoning, and unauthorized data exfiltration.

4. Incident Management & Reporting

The Consultant maintains robust incident handling procedures to assist Clients in meeting their legal 24-hour notification obligations:

  • Early Warning: The Consultant will notify the Client of any "Significant Incident" within 12 hours of detection.
  • Reporting Support: Technical root-cause analysis will be provided within 48 hours to support the Client’s final report to the Swedish Civil Contingencies Agency (MSB).

5. Shared Responsibility Matrix

Security is a shared commitment. The following matrix outlines the demarcation of duties:

Responsibility Area

Consultant (Egoiste)

Client (Business Partner)

Identity & Access

MFA enforcement on developer environments.

Final user access management and local IAM policy.

Incident Reporting

Root-cause analysis and technical evidence.

Formal notification to national authorities (MSB/PTS).

Model Oversight

Monitoring for "Model Drift" and AI accuracy.

Final human-in-the-loop approval of AI outputs.

Local Infrastructure

Secure API integration.

Physical and network security of factory-floor hardware.