BridgekitBridgekit

Why EU-sovereign

GDPR-compliant and EU-sovereign are not the same thing.

GDPR compliance means you have a privacy policy and a cookie banner. EU-sovereign means the data never touches a US-cloud provider in the first place. The difference matters.

The CLOUD Act problem

The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713) requires US companies to produce data stored anywhere in the world when served with a valid US legal order. AWS, Azure, Google Cloud, Cloudflare, Salesforce and HubSpot are all US companies. If any of them is in your data path, the CLOUD Act applies, regardless of where the servers are located or what the privacy policy says.

Schrems II

The Court of Justice of the EU invalidated the EU–US Privacy Shield in 2020. Personal data transfers from the EU to the US are presumptively unlawful without case-by-case safeguards. Data Transfer Impact Assessments are expensive to commission and hard to maintain. Any US-cloud provider in your data path is a transfer you have to justify, every year, in writing, to your DPO.

What EU-sovereign means in practice

No US-cloud provider in the data path

Not as a compute node, not as a CDN edge, not as an email relay, not as an AI inference endpoint. The entire data path stays within EU-jurisdiction infrastructure.

EU-based legal entity for every sub-processor

Every company that touches your data — compute, storage, email, identity, AI — is an EU legal entity not subject to the CLOUD Act.

Encryption keys managed within EU jurisdiction

AES-256-GCM keys are generated and stored on EU infrastructure. No key material leaves EU jurisdiction. Key rotation is supported without data re-encryption.

Provable data residency, not just claimed

We publish our infrastructure choices in Architecture Decision Records. Our hosting is verifiable, not just asserted in a marketing PDF.

Our full stack, component by component

Every dependency, every jurisdiction, every company behind it.

ComponentProviderLocationLegal entity
ComputeHetzner CloudFalkenstein, GermanyHetzner Online GmbH (German)
DatabasePostgres on HetznerFalkenstein, GermanyHetzner Online GmbH (German)
Off-site backupsScaleway Object StorageParis, FranceScaleway SAS (French)
IdentityKeycloak (self-hosted)Falkenstein, GermanyRed Hat / open-source, self-operated
Transactional emailScaleway TEMParis, FranceScaleway SAS (French)
DNSdeSECBerlin, GermanydeSEC e.V. (German non-profit)
CDN (marketing site)BunnyCDNEU PoPsBunnyWay d.o.o. (Slovenian)
AI / LLMMistral AIParis, FranceMistral AI SAS (French)

Who this matters for

If your organisation handles any of the following, EU-sovereign automation is not optional — it is the procurement requirement.

Healthcare & medical

Medical records, diagnostic data and patient communications are special-category data under GDPR. A US-cloud sub-processor processing them without explicit justification is a data breach waiting to happen.

Finance & banking

Bank secrecy law, DORA and internal security policies typically prohibit processing financial data outside EU jurisdiction. Audit requirements demand a complete, provable chain of custody.

Legal & professional services

Attorney-client privilege and professional secrecy obligations require that client communications and case data stay within a controlled, auditable environment — not in a US-cloud SaaS.

Government & public sector

NIS2 treats automation tooling as a supply-chain dependency. Public-sector procurement rules in most EU member states explicitly require EU data residency for systems that touch citizen data.

Ready to keep your automation in Europe?

Bridgekit is the only workflow automation platform where every component in the data path is EU-based. Start a free trial or talk to us about your specific compliance requirements.