Trust.
What you can expect from Optale on data, security, governance and compliance. The summary lives here. The legal detail lives in your DPA and on /privacy and /security.
Norway and EU only.
Customer data is processed and stored inside the EEA. Sub-processors outside the EEA are used only with documented safeguards. The vendor list lives in your DPA and on /security.
DPA, DPIA, transfer rules.
Every customer engagement starts with a Data Processing Agreement. DPIAs are produced for any deployment touching sensitive data. Norway and EU compliance is a default, not a paid extra.
Every action traceable.
Control logs every agent request, every tool call, every approval. Customer admins can see what their agents did, when, and why. No black-box operations.
Your data, your ontology.
Your business data and ontology belong to you. We do not train foundation models on customer data, and we do not share business data across customers. If you cancel, we return your data within an agreed window and delete our copies. Aggregated, non-personal performance signals (eval scores, failure rates, latency) feed back into the platform so the fleet gets sharper with every customer that runs on it.
Operating in regulated sectors.
Optale is built for Norwegian and EU operators in regulated sectors (finance, public, energy, healthcare). The default posture matches what auditors there expect to see: data residency, documented sub-processors, traceable agent actions, human approval loops on anything material.
For US-hosted alternatives, the trade-off is usually faster feature shipping against weaker compliance posture. We picked the other side of that trade and built the operating layer around it.