Kaisa removes the incentive to take that shortcut. Data stays in EnerKey. Access controls are the ones your administrators already configured. Every interaction is logged.
No new approvals.
No open tickets with your IT.
Just ask.
Secure and EU-compliant Energy Management with AI
No new security reviews. No separate approvals. Kaisa uses the same controls your IT team already signed off on — so you can ask questions about your facilities, meters, and consumption data in plain language, without opening a single ticket.
Further down this page you'll find more information about how we keep your data secure.
Already approved
AI in Energy Management without the data risk
The most common workaround in energy and sustainability teams: export metering data to a spreadsheet, paste it into an LLM, ask a question. Fast — but it sends regulated operational data outside your IT estate, into environments your DPO has never assessed, with no audit trail and no access control. There's a real chance that data trains third-party models.
Azure EU only
Role-based access
No public LLM
Zero model training
Full audit log
Read-only
No data leaves EG EnerKey
What happens in the platform, stays in the platform
Kaisa runs entirely within EG's Azure EU environment. It sees what your EnerKey role permits, nothing more. No connection to public AI models, no training on your data, no writes. Every query is logged.
How we keep your data secure
A closer look at how the AI agent inside EnerKey handles your data.
Hosting and data residency
Kaisa runs inside EG’s Azure environment - the same environment that hosts the rest of EG EnerKey.
Cloud provider Microsoft Azure
Tenancy EG-owned Azure subscription
Region EU (matches the EnerKey platform)
Encryption Conversation data is encrypted at rest
Platform controls Network isolation, edge protection, and secrets management follow EG's standard EG EnerKey platform controls (detail available under NDA)
Your data does not transit through third-party SaaS AI vendors. There is no path from Kaisa to any public LLM service.
Profile-scoped data access
Kaisa authenticates as you, through your existing EG EnerKey login - no separate account, no shadow login. Authorization is inherited from EG EnerKey, not invented for AI.
Kaisa can only call the APIs your user is already entitled to call, and can only see the data your user is already entitled to see. If a user doesn’t have access to a product area, Kaisa doesn’t get those tools.
In EG EnerKey, a profile is a collection of facilities, sites, and meters grouped together by your administrators. Kaisa always operates inside the currently active profile - the same one selected in the rest of the portal. It cannot reach data in facilities outside it. Switching profiles starts a clean conversation context. There is no AI-side mechanism to widen data scope.
Conversation isolation. Each user’s conversation history is isolated. No user can read another’s, regardless of role.
Role mapping is enforced server-side. Hiding a feature client-side is never the security boundary.
Kaisa never has access broader than the human using it.
Enterprise AI is not like consumer AI
Kaisa uses enterprise large language models via Azure OpenAI Service - the enterprise Azure deployment, not the consumer OpenAI API.
Under the Azure OpenAI terms applicable to EG:
Your prompts and completions are not used to train OpenAI’s or Microsoft’s foundation models
Data stays within the EU Azure region
Model versions are tracked, pinned, and upgraded under change control - no silent swaps behind production traffic
The model is invoked without any standing access to your databases. Every data retrieval goes through the controlled tool layer described below.
What the model can actually do, and what it can't
A large language model is a text generator. It can answer questions about your data only if someone hands it that data. We treat "something" as a security boundary.
Between the model and EnerKey’s APIs sits an orchestration layer, built on a mature, Microsoft-backed agent framework, that mediates every tool call. The model has no free SQL connection, no code-execution sandbox, and no generic web access.
Only an explicit, allow-listed set of EnerKey APIs is exposed to the model as tools. Endpoints are reviewed and approved by EG's engineering team before they enter Kaisa's surface.
Every tool call:
Runs only with the permissions of the user making the request
Is enforced by the same role checks as the rest of EG EnerKey
Is logged with the user, profile, conversation, tool name, and parameters
Write and update operations are not exposed to Kaisa. It has read-only access to platform data.
If a request requires data the user doesn't have rights to, it fails the same way it would in the UI. Kaisa cannot bypass that.
Multiple safety layers on every message
Every user turn passes through several layers before it reaches the model, and every model response passes through layers on the way back.
Prompt injection and jailbreak defenses: Managed Microsoft AI safety services screen inputs - including content inside uploaded documents - for known attack patterns before they reach the model.
PII detection: Managed services identify personally identifiable information on inputs and outputs, handled according to EG’s content policy.
Harmful-content filtering: Managed filters cover hate, sexual, violence, and self-harm categories, configured for an enterprise B2B context.
Topical scoping: Kaisa operates within a defined scope - energy, facilities, sustainability and EG EnerKey workflows. Out-of-scope requests are declined.
Document handling: When users attach documents (PDF, DOCX, XLSX, CSV, PPTX, TXT, JSON) as context, they are processed inside the same Azure tenancy, scanned, and treated as untrusted input. Content in documents is data - not instructions.
Engineering and operational controls
Every change to Kaisa ships through pull requests with mandatory code review. No live editing of prompts or tool definitions in production. Each release is tagged and can be rolled back.
Our components and dependencies are scanned continuously, and patching follows a defined SLA. The platform - including the Kaisa surface - is included in EG’s regular third-party penetration testing program, with findings tracked to closure.
Structured logs and traces cover every chat turn: who, when, which tools were called, latency and any safety filter actions. Logs are retained according to EG's data retention policy and are accessible to EG's security team for investigation. Incident response is covered by EG's group-wide process.
Your data and your rights
Conversations are retained until you delete them. From the Kaisa UI, you can rename or delete any conversation at any time. Deletion is permanent.
Documents you upload as context can be deleted at any time, permanently.
GDPR data-subject rights - access, rectification, restriction, portability, and erasure - follow the existing EG EnerKey Data Subject Request process. There is no separate Kaisa workflow.
Operational logs (tool calls, safety filtering, latency) are retained under EG’s group retention policy and accessible only to EG’s security and operations teams.
Compliance posture
GDPR — Kaisa processes personal data only as part of the EG EnerKey service. The lawful basis, controller/processor relationship, and data subject rights follow the existing EG EnerKey Data Processing Agreement and AI DPA.
EU AI Act — Kaisa is classified and reviewed against the AI Act’s risk tiers. It operates as a decision-support assistant - not as an autonomous decision-maker for energy or financial actions.
Data residency — EU region, EG-owned Azure subscription.
ISO / certifications — Inherited from the underlying EG EnerKey platform. Refer to EG EnerKey Trust documentation for the current list of certifications.
Sub-processors — Microsoft Azure (cloud platform, model hosting, and AI safety services) and EG’s edge-protection provider. No additional AI sub-processors.
What Kaisa doesn't do
We think this list matters as much as everything above.
Does not train any model on your data
Does not send your data to OpenAI, Anthropic, Google, or any consumer AI service
Does not use a standing service-account login — it uses your session
Does not execute arbitrary code on your behalf
Does not browse the open internet
Does not persist documents or data outside the EnerKey environment
Does not expose tools or data beyond the user’s existing EnerKey role and active profile
For your security team
Completing a vendor questionnaire? EG EnerKey can complete CAIQ, SIG, or custom security assessments for Kaisa alongside the platform. Architecture diagrams and a redacted penetration testing summary are available under NDA.
Contact your EnerKey account manager to start the process.
Reporting a security issue: security@enerkey.com or via your usual EnerKey support channel.
Explore our AI Assistant
Now you know it's safe. Here's what it actually does.
Kaisa reads your live EG EnerKey data and answers in plain language. Consumption trends, savings potential, emissions targets, anomalies. Property managers, finance, sustainability officers, anyone with access gets the same data-backed answer in seconds, no exports required.
Explore our AI Assistant
Now you know it's safe. Here's what it actually does.
Kaisa reads your live EG EnerKey data and answers in plain language. Consumption trends, savings potential, emissions targets, anomalies. Property managers, finance, sustainability officers, anyone with access gets the same data-backed answer in seconds, no exports required.
Ask your question
Kaisa answers you
Secure and Compliant
REGULATORY COMPLIANCE
AI in energy management is subject to legal requirements
When your organization starts using an AI-based tool, you take on a regulatory responsibility. EU legislation sets requirements for how AI systems must be built, how data is handled, and how digital services must remain resilient. That applies not just to the vendor — it applies to you as the user too. Kaisa is designed with this in mind.
Here are the frameworks most relevant to organizations managing energy data and property portfolios — and what they mean for your choice of AI tool.
EU AI Act — Regulation (EU) 2024/1689
The EU's framework law for artificial intelligence, classifying AI systems by risk level and setting requirements for transparency, traceability, and human oversight.
As a "deployer" — the organization putting an AI system into use — you have obligations under the AI Act: informing users that they're interacting with AI, ensuring the system can be audited, and maintaining human oversight of AI-supported decisions. Kaisa is classified as a limited-risk system (not high-risk), but transparency and auditability requirements apply in full. Kaisa's answers are traceable and grounded in your live data — not black boxes.
GDPR — Regulation (EU) 2016/679
The EU's General Data Protection Regulation, governing all processing of personal data.
Energy data can quickly become personal data — meter readings tied to individual apartments, consumption profiles revealing occupancy patterns, or data linked to named users in your property management system. EU-hosted data processing is a prerequisite for GDPR compliance. Kaisa runs on EU-based infrastructure, and all data processing takes place within your existing relationship with EG EnerKey — your data is never used to train external models.
NIS2 Directive — Directive (EU) 2022/2555
The EU directive on cybersecurity for essential and important entities, establishing mandatory security requirements across critical sectors.
The energy sector is explicitly listed as "essential" under NIS2, meaning many EnerKey customers are already in scope. NIS2 requires supply chain security: you must ensure that the digital tools you use meet your security requirements. EU hosting, auditable outputs, and clear incident response procedures aren't just conveniences — they're the concrete properties that allow you to document Kaisa as an approved tool in your security governance processes.
DORA — Regulation (EU) 2022/2554
The Digital Operational Resilience Act — EU legislation on digital resilience for financial entities.
If your organization is an insurance company, bank, pension fund, or financially regulated real estate firm, DORA applies to you. The regulation requires systematic management of ICT third-party risk — Kaisa and EG EnerKey must be documented in your ICT register and assessed as a third-party service. EU hosting and clear contractual commitments are what your compliance teams need to see.
Cyber Resilience Act / CRA — Regulation (EU) 2024/2847
The EU regulation on cybersecurity requirements for products with digital elements, including software.
CRA places requirements on EG as the manufacturer of EnerKey and Kaisa — we are required to deliver secure software throughout the full product lifecycle, with documented security processes and rapid vulnerability handling. For you as a buyer, it creates a legal basis for demanding cybersecurity standards from vendors — and gives your IT security team a clear signal that CRA awareness is built into how Kaisa is developed.
Data Act — Regulation (EU) 2023/2854
The EU regulation on access to and sharing of data generated by connected devices and services, in application since September 2025.
The Data Act applies directly to your operations — the smart energy meters, IoT sensors, and building automation systems feeding data into EnerKey are exactly what this regulation covers. You have the right to your machine-generated data and the right to take it with you. Kaisa analyzes your data — your data stays yours.
Data Governance Act — Regulation (EU) 2022/868
The EU framework for data intermediation and cross-sector data sharing.
The Data Governance Act establishes the rules for how data flows within European data spaces — including in the energy sector. For organizations participating in sector-wide benchmarking or Nordic data sharing initiatives, it provides a clear framework for how data may move. Kaisa operates within a system with defined data flows and boundaries, aligned with the transparency requirements the Act places on data intermediaries.
ePrivacy Directive — Directive 2002/58/EC
The EU directive on privacy in electronic communications, covering cookies, communications data, and traffic monitoring.
ePrivacy applies to the communications layers surrounding Kaisa — session data in the chat interface, meter data transmitted over communications networks, and platform analytics. The directive is currently under revision (a regulation is expected to replace it), but the core principles of data minimization and protection of communications content shape how AI chat functions in sensitive operational environments should be handled.