Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
everviz is a Norwegian data visualisation platform built on top of the Highcharts library, used by editorial teams, communications departments, and analysts to publish interactive charts, tables, and maps. Hosted entirely on AWS Frankfurt by everviz AS (Highsoft Group), it does not write tracking cookies on visitors and does not transfer data outside the EEA, which makes it one of the simplest visualisation tools to embed without a consent banner under GDPR.
everviz is an online data visualisation platform launched in 2018 by everviz AS, a subsidiary of Highsoft AS, the Norwegian company behind the popular Highcharts charting library. It targets editorial teams, communications departments, public sector analysts, and data journalists who need to publish interactive charts, tables, dashboards, and maps without writing JavaScript. Editors paste a CSV, connect to a Google Sheet, or upload an Excel file, choose a chart type from the catalogue (line, bar, pie, area, treemap, sankey, geographic maps), then embed the chart on any website with a one, line iframe or a JavaScript snippet. The platform is hosted on AWS Frankfurt and operated entirely from Norway / EEA.
On a public, embedded chart, everviz does not write any analytics or advertising cookie. The everviz domain may set a small number of functional cookies for the embed runtime: a Cloudfront security cookie used to distinguish humans from bots, and a session cookie used by the chart configuration loader. Inside the everviz editor application (app.everviz.com), additional functional cookies are set to keep editors authenticated. The platform processes the chart configuration, the dataset, and the visitor IP at the moment of embed load, but no persistent visitor identifier is stored.
Because no tracking or advertising cookie is written and the visitor IP is processed only for routing the embed request, everviz does not trigger Article 5(3) of the ePrivacy Directive in the same way as analytics or marketing tools. The functional cookies needed to deliver the chart fall under the strictly necessary exemption. Under the GDPR, everviz AS acts as a processor for the chart configurations and any dataset that contains personal data, while the publisher remains controller. The Norwegian / EEA data location avoids any Chapter V transfer issue.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In a typical configuration, no cookie banner is required to embed an everviz chart. The chart loads under the strictly necessary category and runs on legitimate interest as the legal basis. If the chart''s underlying dataset contains personal data of identified individuals (for example, a journalistic chart that names specific people), the publisher needs a separate legal basis for that data processing, typically consent or journalistic exemption under Article 85 GDPR plus national press laws. The embed itself does not require a CMP gate.
None outside the EEA. everviz AS is incorporated in Norway, which is part of the EEA, and the application is hosted on AWS in Frankfurt. Sub, processors are limited to EU and EEA based providers. There are no transfers to the United States or other third countries, which removes the need for SCCs, a Transfer Impact Assessment, or any DPF, dependent fallback. This is a meaningful advantage compared with US, headquartered visualisation tools (Datawrapper has EU hosting too, but Tableau Public, Flourish, and Infogram involve US transfers).
Sign the DPA published by everviz AS, list everviz and AWS Frankfurt as sub, processors in the privacy policy, and add the platform to the record of processing activities under Editorial visualisation or Reporting. Restrict editor access using SSO or two, factor authentication. If you embed charts that include personal data of identified individuals, document the legal basis for that dataset and the retention period. The chart embed itself can be loaded without a consent gate, which is one of the practical reasons European newsrooms and public, sector communications teams pick everviz over US, hosted alternatives.
Websites using everviz must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for everviz because the embedded chart writes no tracking cookies and the visualisation runtime processes only the public chart configuration and dataset. A DPIA may become relevant if the underlying dataset contains personal data of identified individuals (employee dashboards, patient charts) or if you embed everviz on pages that profile users in other ways. Document everviz AS as processor for hosting the chart configurations, the AWS Frankfurt sub, processor, and any personal data that you choose to send into the chart dataset.
Sample consent text
Our website embeds interactive charts created with everviz, a Norwegian visualisation platform hosted on AWS Frankfurt. The chart embed does not set tracking cookies and does not profile you. No cookie consent is required for everviz to load.
Third-party domains contacted
everviz.comapp.everviz.comcdn.everviz.comexport.everviz.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| CloudFront-Key-Pair-Id | third-party | Session | Functional cookie set by AWS CloudFront on the everviz CDN to authenticate signed URLs and protect the chart configuration assets. Considered strictly necessary for the embed to function. |
| everviz_session | third-party | Session | Session cookie used by the everviz chart configuration loader to keep state during the embed initialisation. Strictly necessary functional cookie. |
everviz collects user analytics data — you legally need a consent banner. Try FlowConsent free.
On a public embedded chart, everviz does not write any analytics or advertising cookie. The everviz domain may set a small Cloudfront security cookie used to filter automated traffic and a session cookie for the chart configuration loader, both functional and short, lived. Inside the editor application, additional functional cookies keep editors authenticated.
No in a typical configuration. The functional cookies used to deliver the chart fall under the strictly necessary exemption of the ePrivacy Directive, and no tracking, advertising or profiling cookie is written. The chart can be embedded without a CMP consent gate. If the underlying dataset contains personal data of identified individuals, you may need a separate legal basis for that data, but not for the embed itself.
Legitimate Interest (GDPR Article 6(1)(f)) for embedding the chart. Contract performance (Article 6(1)(b)) for editor accounts inside the everviz application. If the chart dataset includes personal data, that data has its own legal basis, typically consent, contract performance, or the journalistic exemption under Article 85 GDPR.
No. everviz AS is incorporated in Norway, which is part of the EEA, and the application is hosted on AWS Frankfurt. Sub, processors are limited to EU/EEA, based providers. There are no transfers to third countries, which removes the need for SCCs or a Transfer Impact Assessment.
Generally no for using everviz as an embed tool. A DPIA may be appropriate if the chart dataset contains special categories of data (health, biometric), data of vulnerable groups, or large volumes of personal data. The embed runtime itself does not trigger DPIA criteria because it is functional and does not profile visitors.
Sign the DPA published by everviz AS, list everviz and AWS Frankfurt as sub, processors in your privacy policy, restrict editor access via SSO or 2FA, and document any chart dataset that contains personal data with its legal basis and retention period. The embed itself can be loaded without a consent banner.
EU, hosted alternatives include Datawrapper (Germany, with EU hosting), Flourish (UK, US transfers), Tableau Public (US transfers), Infogram (US transfers), Plotly (US transfers), and self, hosted options like Apache Superset, Metabase, or pure Highcharts integrations on your own infrastructure.
Mention everviz as the visualisation provider and Highsoft AS / everviz AS as the controller of the platform. State that the embed does not set tracking cookies, only functional Cloudfront cookies, and that data is hosted in Norway / AWS Frankfurt within the EEA. No third, country transfer disclosure is required.