No US-cloud provider in the data path
Not as a compute node, not as a CDN edge, not as an email relay, not as an AI inference endpoint. The entire data path stays within EU-jurisdiction infrastructure.
Why EU-sovereign
GDPR compliance means you have a privacy policy and a cookie banner. EU-sovereign means the data never touches a US-cloud provider in the first place. The difference matters.
The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713) requires US companies to produce data stored anywhere in the world when served with a valid US legal order. AWS, Azure, Google Cloud, Cloudflare, Salesforce and HubSpot are all US companies. If any of them is in your data path, the CLOUD Act applies, regardless of where the servers are located or what the privacy policy says.
The Court of Justice of the EU invalidated the EU–US Privacy Shield in 2020. Personal data transfers from the EU to the US are presumptively unlawful without case-by-case safeguards. Data Transfer Impact Assessments are expensive to commission and hard to maintain. Any US-cloud provider in your data path is a transfer you have to justify, every year, in writing, to your DPO.
Not as a compute node, not as a CDN edge, not as an email relay, not as an AI inference endpoint. The entire data path stays within EU-jurisdiction infrastructure.
Every company that touches your data — compute, storage, email, identity, AI — is an EU legal entity not subject to the CLOUD Act.
AES-256-GCM keys are generated and stored on EU infrastructure. No key material leaves EU jurisdiction. Key rotation is supported without data re-encryption.
We publish our infrastructure choices in Architecture Decision Records. Our hosting is verifiable, not just asserted in a marketing PDF.
Every dependency, every jurisdiction, every company behind it.
| Component | Provider | Location | Legal entity |
|---|---|---|---|
| Compute | Hetzner Cloud | Falkenstein, Germany | Hetzner Online GmbH (German) |
| Database | Postgres on Hetzner | Falkenstein, Germany | Hetzner Online GmbH (German) |
| Off-site backups | Scaleway Object Storage | Paris, France | Scaleway SAS (French) |
| Identity | Keycloak (self-hosted) | Falkenstein, Germany | Red Hat / open-source, self-operated |
| Transactional email | Scaleway TEM | Paris, France | Scaleway SAS (French) |
| DNS | deSEC | Berlin, Germany | deSEC e.V. (German non-profit) |
| CDN (marketing site) | BunnyCDN | EU PoPs | BunnyWay d.o.o. (Slovenian) |
| AI / LLM | Mistral AI | Paris, France | Mistral AI SAS (French) |
If your organisation handles any of the following, EU-sovereign automation is not optional — it is the procurement requirement.
Medical records, diagnostic data and patient communications are special-category data under GDPR. A US-cloud sub-processor processing them without explicit justification is a data breach waiting to happen.
Bank secrecy law, DORA and internal security policies typically prohibit processing financial data outside EU jurisdiction. Audit requirements demand a complete, provable chain of custody.
Attorney-client privilege and professional secrecy obligations require that client communications and case data stay within a controlled, auditable environment — not in a US-cloud SaaS.
NIS2 treats automation tooling as a supply-chain dependency. Public-sector procurement rules in most EU member states explicitly require EU data residency for systems that touch citizen data.
Bridgekit is the only workflow automation platform where every component in the data path is EU-based. Start a free trial or talk to us about your specific compliance requirements.