Soniver

Terms and conditions for use of Soniver

Last updated: 26 November 2025

1. Agreement and acceptance

These terms and conditions (the “Terms”) govern use of Soniver (the “Service”), provided by Soniver AS (“we”, “us”, “our”). By registering for or using the Service, you agree to be bound by the Terms. If you do not accept the Terms, you may not use the Service.

2. Privacy and data protection – controller and processor

Our processing of personal data is described in our Privacy Policy . When the Service is used in connection with employees or coaching sessions, the user (for example an HR department or leadership coach) is the data controller for personal data processed in the Service. Soniver AS acts as processor and processes data solely on behalf of and in accordance with documented instructions from the user, pursuant to GDPR Article 28.

Soniver does not determine the purposes of processing and does not use customer data for its own purposes, model training, or analysis beyond functionality initiated by the user. A data processing agreement is entered into between the parties for professional use of the Service.

3. Service content and functionality

  • Ability to record audio from conversations and coaching sessions.
  • Automatic transcription and anonymisation of audio.
  • Analysis and summarisation using artificial intelligence.
  • Storage and management of conversation-related data.

The Service is intended for HR teams and leadership coaches who comply with applicable laws and regulations, including the GDPR.

4. Not a medical device – no clinical decision support

The Service is not a medical device and must not be used as a diagnostic tool, treatment aid, or clinical decision support. It provides administrative support, transcription, and text-based analysis based on content the user provides.

All professional judgement, diagnosis, risk assessment, and treatment decisions remain the user’s sole responsibility. Output generated by the Service must always be reviewed professionally by the user and may contain errors, gaps, or misunderstandings.

5. Information processed in the Service

When using the Service, the following types of personal data may be processed:

  • Employee information: You may create an employee record with first name, last name, and email. Last name and email are optional; you may use a pseudonym instead of real names.
  • Audio recordings of conversations when the user enables the feature.
  • Transcripts generated from audio.
  • Notes written or generated by the user.
  • AI-generated analyses, topic detection, and summaries.
  • Metadata including timestamps, login data, technical information, and usage data.

This information is processed only to deliver the Service and the features the user chooses to use.

6. Legal basis for processing

When the Service is used with employee data, processing is based on:

  • GDPR Article 6(1)(b) – processing necessary to perform a contract with the user when the Service is provided in a professional context.

Soniver processes data only on instructions from the controller and has no independent purposes for the processing.

7. User responsibilities

  • Ensure that all use of the Service complies with applicable laws and regulations.
  • Obtain consent from employees before processing their personal data where required.
  • Protect login credentials and prevent unauthorised access to your account.
  • Provide accurate and up-to-date information at registration.

8. Pricing and payment

Prices for the Service will be stated on our website or in an agreement with you.

Payment must be made according to the stated payment terms. We may suspend or terminate your access if payment is not made.

9. Termination

You may stop using the Service by giving written notice. We may terminate your access if you breach the Terms.

10. Limitation of liability

The Service is provided “as is”, and we disclaim liability for indirect loss or damage.

Soniver does not warrant that transcripts or analyses are complete or error-free. AI-generated content may be inaccurate or misleading and must not be used as the basis for diagnostic assessments, risk assessments, treatment decisions, or other clinical decisions.

The user is fully responsible for professional judgements and for validating all content generated by the Service. Soniver disclaims liability for loss, damage, or consequences arising from clinical decisions based on data generated in the Service.

11. Changes to the Terms

We may change the Terms. Continued use constitutes acceptance of the updated Terms.

Part 2: Data processing agreement

Between:

Controller: The party using the Service (the user), hereinafter the “Controller”.

Processor: Soniver AS (org. no. 934 936 949), hereinafter the “Processor” or “Soniver”.

1. Purpose of the agreement

This data processing agreement governs rights and obligations when Soniver processes personal data on behalf of the Controller. It ensures processing complies with applicable law, including:

  1. The Norwegian Personal Data Act and the GDPR.
  2. The Norwegian Health Personnel Act and Patient Records Act (where relevant).
  3. The norm for information security and privacy in the health and care sector (“Normen”).

If this agreement conflicts with other agreements between the parties, this agreement prevails on privacy matters.

2. Obligations of the Controller

The Controller determines the purpose of processing and the means used. The Controller warrants that a valid legal basis (e.g. employee consent) exists for all data transferred to Soniver.

3. Obligations of the Processor

Soniver undertakes to:

  1. Instructions: Process personal data only in accordance with documented instructions from the Controller (this agreement constitutes instructions).
  2. Purpose limitation: Not use personal data for its own purposes, marketing, or sale to third parties.
  3. Access control: Ensure only authorised persons have access and that they are bound by confidentiality.
  4. Internal control: Maintain internal control and information security proportionate to risk.
  5. Assistance: Assist the Controller in meeting its obligations, including data subject requests (access/erasure) and data protection impact assessments (DPIAs).

4. Confidentiality

Soniver and anyone working for Soniver must keep confidential all personal data and sensitive business information they access. This duty survives termination of the agreement.

5. Information security

Soniver shall implement appropriate technical and organisational measures to ensure a high level of security, pursuant to GDPR Article 32.

Soniver specifically commits to the following privacy-by-design architecture:

  • No raw audio storage:
    • Audio is streamed directly for processing and is never permanently stored on disk.
  • Encryption:
    • Data is encrypted in transit and at rest using industry standards (AES-256 / TLS 1.2+).
  • Geographic processing:
    • Audio transcription takes place in Norway. AI analysis of text takes place in the EU/EEA. No data is transferred to the United States for these purposes.

Further details of security measures are set out in Annex 2.

6. Sub-processors

The Controller grants Soniver general authorisation to use sub-processors to deliver the Service. Approved sub-processors at the time of contracting are listed in Annex 3.

Soniver shall ensure sub-processors are bound by obligations equivalent to Soniver’s under this agreement. Soniver shall notify the Controller in writing at least 30 days before changing or adding sub-processors. The Controller may object on legitimate privacy grounds.

7. Personal data breaches

In the event of a personal data breach, Soniver shall notify the Controller in writing without undue delay (at the latest within 24 hours).

The notice shall describe the breach, categories of affected data subjects, likely consequences, and measures taken. Soniver shall assist with information needed for notification to the supervisory authority.

8. Audit

The Controller may audit (itself or via a third party) Soniver’s compliance with this agreement. Soniver shall facilitate such audits.

9. Liability

Each party is liable for economic loss caused to the other by breach of this agreement, under general principles of Norwegian law. The Processor’s aggregate liability is capped at twelve months’ fees for the Service, except in cases of gross negligence or intent.

10. Duration and termination

This agreement applies for as long as Soniver processes personal data on behalf of the Controller.

On termination, Soniver shall, at the Controller’s choice, delete or return all personal data. Soniver shall confirm deletion in writing. Backups are deleted according to the backup cycle (maximum 30 days).

11. Acceptance

By logging in to the Service with BankID you accept these terms and the data processing agreement. Your use of the Service constitutes binding acceptance of all provisions described herein.

ANNEX 1: Purpose of processing

Purpose:

To support HR work and leadership coaching through AI-assisted transcription and analysis of conversations, providing better notes and freeing up time for HR teams and coaches.

Processing includes:

  1. Streaming audio from the browser to the server.
  2. Real-time speech-to-text transcription.
  3. Pseudonymisation/anonymisation of text.
  4. AI analysis of text to extract relevant information.
  5. Encrypted storage of finished notes and analyses.

Categories of personal data:

Names and other information that appears in conversations and coaching sessions.

ANNEX 2: Technical security measures

Soniver has implemented a security architecture based on data minimisation:

  1. Audio processing (no storage):
    • Audio data is sent directly from the user to the transcription service (Azure) via secure memory.
    • No audio files are permanently stored on disk by Soniver or the sub-processor.
    • Azure is configured with a “no logging” policy for audio data.
  2. Authentication and access:
    • Access requires strong authentication via Criipto (BankID).
    • Logical separation of customer data ensures users only see their own data.
  3. Encryption:
    • Communications: HTTPS/TLS 1.2+ with strong ciphers.
    • Database: Sensitive data encrypted at rest (AES-256).
  4. Geographic controls:
    • The system is configured to process data in specific regions in Norway and the EU. There is no automatic failover to regions outside the EEA.

ANNEX 3: Approved sub-processors

The Controller approves the following sub-processors:

Vendor Function Region / location
Microsoft Azure Transcription (speech-to-text)
Processes the audio stream transiently to convert it to text. 		Norway East (Norway)
Google Cloud Platform AI analysis (Vertex AI / Gemini)
Processes anonymised text to generate notes. Cloud services. 		europe-west4 and europe-west1
MongoDB Atlas Database
Storage of finished notes and user data (encrypted). 		europe-west1 (Belgium)
(Runs on GCP infrastructure)
Brevo Email
System notifications. No health data is sent via this channel. 		EU (Germany)
Criipto Authentication (OpenID Connect) Denmark
Stripe Payment processing USA / EU

Governing law and disputes

These Terms are governed by Norwegian law. Disputes shall be brought before Oslo District Court as legal venue, unless mandatory law provides otherwise.