Transparency report — government and law-enforcement access
On this page
Why this page exists #
Section 11A of the Data Processing Agreement commits fremverk to an annual transparency report disclosing — in aggregate — every government or law-enforcement request for Customer Personal Data we receive. This page is that report.
The report is reissued annually for each full calendar year of operation. Where a calendar year carries zero requests, this page records that fact for the year — non-disclosure of “zero” would be informationally identical to non-publication, which would defeat the transparency purpose.
Reporting period coverage #
| Period | Coverage |
|---|---|
| 2026 (partial — pre-launch) | Pre-launch operations only. fremverk had no Customer Personal Data in production processing scope until launch. |
Reports for full calendar years follow once the first one closes.
Aggregate request data #
Reporting period: 2026 (partial — pre-launch) #
| Metric | Count |
|---|---|
| Total government-access requests received | 0 |
| Requests fully complied with | 0 |
| Requests partially complied with | 0 |
| Requests rejected on jurisdictional or procedural grounds | 0 |
| Requests pending at end-of-period | 0 |
| Customer Personal Data records disclosed | 0 |
| Customers notified pursuant to DPA §11A.1(c) | 0 |
Jurisdictions of origin #
None — no requests received.
Categories of data requested #
Not applicable — no requests received.
How fremverk handles requests #
When a binding legal demand is received, fremverk applies the process documented in DPA §11A.1:
- Verify the demand is binding under EU law and that the issuing authority has jurisdiction over fremverk and the data sought.
- Narrow the scope to the minimum data set permitted by the demand.
- Notify the affected Customer before disclosure unless explicitly prohibited by a court order — in which case fremverk pushes for the shortest possible non-disclosure period and notifies as soon as the prohibition lifts.
- Challenge demands that exceed jurisdictional scope, lack proportionality, or compel disclosure of data outside the EU/EEA.
- Document the request, the disposition, and the data disclosed for inclusion in this report.
fremverk has not received and will not voluntarily comply with non-EU-jurisdictional requests for Customer Personal Data. This includes — without limitation — requests under the US CLOUD Act, US National Security Letters, US Foreign Intelligence Surveillance Act subpoenas, or analogous extraterritorial mechanisms. The CLOUD Act has no extraterritorial reach over fremverk because neither fremverk nor any sub-processor on the Customer Personal Data path has a US parent. See DPA §11 for the full residency commitment.
Subscribe to updates #
This page updates annually (typically late January for the prior year). To be notified when a new report publishes, subscribe to the security mailing list — the same list announces sub-processor changes per DPA §10.
Related #
- Data Processing Agreement § 11A — the contractual commitment this report fulfils
- Sub-processor list — every entity with potential access to Customer Personal Data, with jurisdiction
- Trust page — overall security + compliance posture
Last updated: 2026-05-06.