Glossary · entity definitions

The concepts that decide the choice of Swedish AI infrastructure

Clear, citable definitions of the terms that determine whether an AI provider is fit for the Swedish public sector, finance and healthcare. Written to be understood by both lawyer and developer.

Sovereign AI

AI infrastructure where data, compute and model weights are guaranteed to stay within a defined jurisdiction, without any foreign actor or foreign law being able to demand access. For Sweden this means, in practice, Swedish or independent European ownership, physical operation in Sweden/the EEA, and no dependency on US parent companies.

Data sovereignty

The principle that data is subject to the laws of the country where it is physically and legally handled. A server standing in the EU is not enough if the provider's parent company is subject to foreign law — the data can then be demanded anyway.

Cloud Act / FISA 702

US extraterritorial legislation that can compel a US company (or its subsidiary) to hand over data regardless of where in the world it is stored. This is why an 'EU region' at a US hyperscaler is often not enough for the Swedish public sector.

Schrems II

The Court of Justice of the EU's ruling (2020) that invalidated the Privacy Shield and tightened the requirements for transferring personal data to a third country. It means providers with third-country exposure must be able to show supplementary safeguards — or avoid the transfer entirely.

Third-country transfer

Any processing or transfer of data outside the EEA, including for telemetry, support or logging. An 'unknown' or 'yes' here is often a deal-breaker for regulated organisations.

Model Context Protocol (MCP)

An open protocol (donated to the Linux Foundation) for how agentic AI systems securely connect to tools and data sources. For infrastructure providers the question is whether the network supports MCP over Streamable HTTP and stateful sessions — critical for remote-calling AI agents.

Zero retention

That the provider does not keep prompts, inputs or outputs after the request has been processed. A claim of zero retention should be verified against the data processing agreement (DPA), not just against the marketing page.

Data Processing Agreement (DPA)

The legal agreement that governs how the provider may process the customer's personal data. This is where guarantees of zero retention, no model training on customer data and data residency become binding — which is why we distinguish 'claimed' from 'confirmed against the DPA'.

EU AI Act

The EU's AI regulation, which imposes requirements on transparency, technical documentation and logging depending on the system's risk class. For infrastructure providers it is about being able to support the customer's compliance, not just their own.