> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abv.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Swedish Protective Security Act Compliance

> Alignment with Säkerhetsskyddslag requirements for security-sensitive government activities

ABV is designed to support organizations subject to the **Swedish Protective Security Act (Säkerhetsskyddslag 2018:585)**, Sweden's framework for protecting security-sensitive activities and classified information from espionage, sabotage, terrorism, and other threats.

# What is the Swedish Protective Security Act?

The Protective Security Act (PSA) establishes requirements for protecting security-sensitive activities in Sweden. It applies to government authorities and private organizations conducting activities important to national security or covered by international protective security commitments.

<Info>
  The PSA was introduced in April 2019, with extensive amendments taking effect December 1, 2021. It requires organizations to implement information security, physical security, and personnel security controls based on risk assessments.
</Info>

Organizations subject to the PSA must:

* Conduct protective security analyses to identify sensitive activities and classified information
* Implement security measures across three categories: information security, physical security, and personnel security
* Notify supervisory authorities (e.g., Swedish Security Service, MUST) of security-sensitive activities
* Conduct personnel security vetting based on access requirements

Penalties for non-compliance range from SEK 25,000 to SEK 50 million.

# How ABV Supports PSA Compliance

ABV provides security controls and documentation to help organizations meet PSA requirements:

<AccordionGroup>
  <Accordion title="Information Security (Informationssäkerhet)" icon="lock">
    The PSA requires systematic protection of classified and security-sensitive information:

    * **Access Control**: RBAC restricts who can view GenAI prompts, responses, and system configurations. [Learn more](/developer/platform/administration/role-based-access-controls)
    * **Audit Logging**: Comprehensive logs track all access to sensitive data, supporting accountability and incident investigation. [Learn more](/developer/platform/administration/audit-logs)
    * **Encryption**: AES-256 at rest and TLS 1.2+ in transit protect classified information from unauthorized access. [Learn more](/security/security/encryption)
    * **Data Classification**: Tag and track security-sensitive information with metadata and access restrictions. [Learn more](/developer/basic-features/metadata)
    * **Data Masking**: Automatically redact sensitive details from GenAI interactions before storage or analysis. [Learn more](/developer/basic-features/masking-sensitive-data)
  </Accordion>

  <Accordion title="Personnel Security (Personalsäkerhet)" icon="user-shield">
    The PSA requires personnel security vetting for individuals accessing security-sensitive activities:

    * **User Authentication**: MFA and SSO ensure only authorized personnel access the platform. [Learn more](/security/security/authentication-authorization)
    * **Access Reviews**: Audit logs enable periodic review of who accessed classified information and when.
    * **Session Tracking**: Monitor individual user sessions and activities for security oversight. [Learn more](/developer/basic-features/sessions)
  </Accordion>
</AccordionGroup>

## Data Residency Options

ABV offers flexible deployment options to meet Swedish data residency requirements:

### Standard Regions

* **EU Region**: Ireland (AWS eu-west-1) - Available immediately
* **US Region**: Virginia (AWS us-east-1) - Available immediately

### Custom Regional Deployments

<Info>
  **Sweden-Specific Deployment Available**: ABV can provide custom deployments in AWS Stockholm (eu-north-1) region for organizations requiring data storage within Sweden's borders.

  This option is particularly relevant for:

  * Organizations handling classified information under PSA
  * Government entities with strict data sovereignty requirements
  * Critical infrastructure operators requiring domestic data storage
</Info>

### Deployment Options for PSA Compliance

For organizations subject to PSA with data residency requirements:

1. **Standard EU Region (Ireland)**:
   * Immediate availability
   * Data remains within the European Union
   * Suitable for many non-classified use cases

2. **Custom Sweden Deployment (Stockholm)**:
   * Available for Enterprise customers
   * Data stored exclusively within Sweden's borders
   * Meets stringent PSA data residency requirements
   * Requires custom deployment assessment

3. **Hybrid Architecture**:
   * Use EU region for non-sensitive workloads
   * Sweden deployment for classified or security-sensitive data
   * Separate environments with complete data isolation

### Requesting Sweden Deployment

<Note>
  To request a custom deployment in Sweden (AWS Stockholm region):

  1. Email [security@abv.dev](mailto:security@abv.dev) with your requirements
  2. Include your security classification level and PSA requirements
  3. Specify data volume and performance needs
  4. Our team will provide deployment timeline and pricing

  Custom regional deployments typically require:

  * Enterprise agreement
  * Minimum commitment period
  * Additional setup and operational costs
  * 2-4 week deployment timeline
</Note>

<AccordionGroup>
  <Accordion title="Protective Security Analysis Support" icon="magnifying-glass-chart">
    ABV helps organizations conduct and maintain protective security analyses required by the PSA:

    * **Risk Identification**: Comprehensive observability reveals what sensitive information GenAI systems process, supporting threat and vulnerability assessments.
    * **Security Documentation**: Audit trails, access logs, and configuration records provide evidence for implementation plans required by supervisory authorities.
    * **Continuous Monitoring**: Real-time alerts detect unauthorized access, anomalous behavior, or security incidents affecting classified information.
  </Accordion>

  <Accordion title="Incident Management" icon="triangle-exclamation">
    The PSA requires organizations to manage security incidents affecting classified information:

    * **Incident Detection**: Monitor for unauthorized access, data exfiltration attempts, or suspicious GenAI behavior.
    * **Forensic Support**: Immutable logs with tamper-evident timestamps support incident investigation and reporting to supervisory authorities.
    * **Notification Protocols**: Documented procedures for notifying SÄPO, MUST, or other supervisory authorities. [Learn more](/security/security/incident-breach)
  </Accordion>
</AccordionGroup>

# For Swedish Government Contractors

Private organizations conducting security-sensitive work for the Swedish government must comply with PSA requirements:

<AccordionGroup>
  <Accordion title="Defense Contractors" icon="shield">
    Support military GenAI projects with PSA-compliant governance and security controls.
  </Accordion>

  <Accordion title="Critical Infrastructure" icon="tower-broadcast">
    Protect GenAI systems in energy, telecommunications, or transportation sectors designated as security-sensitive.
  </Accordion>

  <Accordion title="Sensitive Research" icon="flask">
    Govern GenAI used in research with national security implications or international protective agreements.
  </Accordion>
</AccordionGroup>

## Documentation for PSA Compliance Assessments

<Info>
  ABV can support certain PSA requirements through security controls and documentation, but may not meet all requirements for highly classified or security-sensitive activities, particularly regarding data location.
</Info>

Enterprise customers can request PSA-related documentation:

### What We Can Provide

* **Security Controls Documentation**: Evidence of information security controls (encryption, access management, audit logging) that align with PSA requirements.

* **ISO 27001 Certificate**: International certification often accepted as evidence of systematic information security management. [Learn more](/security/compliance/iso-27001-compliance)

* **Risk Assessment Support**: Documentation to include in your protective security analysis regarding use of cloud services.

### What We Cannot Provide

* **Physical security measures** for Swedish government facilities (cloud-based service only)
* **Personnel security vetting** (this is your organization's responsibility)
* **Classification as a Swedish security-cleared vendor** (we are a commercial SaaS provider)
* **On-premises deployment** within government facilities (cloud-only service)

### How to Request Documentation

<Steps>
  <Step title="Provide Organization Details" icon="building">
    Include organization name, ABV account details, security classification level, and supervising authority (SÄPO, MUST, Swedish Armed Forces, etc.).
  </Step>

  <Step title="Specify Requirements" icon="list-check">
    Detail specific PSA requirements, whether Sweden-only data storage is mandatory, and documentation needed for protective security analysis.
  </Step>

  <Step title="Share Risk Assessment" icon="scale-balanced">
    Explain whether you've determined ABV is suitable for your security classification and any compensating controls you're implementing.
  </Step>

  <Step title="Submit Request" icon="paper-plane">
    Email [security@abv.dev](mailto:security@abv.dev) from your organization email. We typically respond within 1-2 business days. Detailed documentation may require an NDA.
  </Step>
</Steps>

<Info>
  Before using ABV for PSA-regulated activities, ensure your protective security analysis addresses:

  1. Whether standard EU (Ireland) region meets your requirements, OR
  2. Whether you need custom Sweden (Stockholm) deployment for classified data
  3. Any specific requirements from your supervisory authority (SÄPO, MUST, etc.)

  ABV can accommodate most data residency requirements through custom regional deployments.
</Info>

# Related Topics

<CardGroup cols={2}>
  <Card title="Swedish GenAI Guidelines" icon="landmark" href="/security/compliance/sweden-genai-guidelines">
    See our alignment with Swedish public sector AI guidelines
  </Card>

  <Card title="ISO 27001 (Security)" icon="certificate" href="/security/compliance/iso-27001-compliance">
    View our information security certification
  </Card>

  <Card title="Data Masking" icon="mask" href="/developer/basic-features/masking-sensitive-data">
    Learn how to protect classified information
  </Card>

  <Card title="Access Controls" icon="lock" href="/security/security/authentication-authorization">
    Explore authentication and authorization
  </Card>
</CardGroup>
