The decisive test
Many providers advertise “servers in Frankfurt”. It sounds safe but answers the wrong question. What matters is not where the disks sit, but which legal order governs the operator. If the parent company is incorporated in the US, the US CLOUD Act applies: US authorities can order data disclosure, whether the data is in Frankfurt, Dublin or Virginia.
Data residency ≠ sovereignty
Data residency is a geographic statement. Sovereignty is a legal and technical one. Only when operator, technology stack and jurisdiction are in European hands does your AI remain yours. The CJEU's Schrems II ruling (2020) showed how fragile EU-US transfers are; the EU Data Act (applicable from 2025) additionally requires EU cloud providers to prevent unlawful third-country access.
The US-free stack in practice
Sovereignty is feasible, and performant. Beyonetix runs open language models such as Teuken-7B (OpenGPT-X/Fraunhofer), Mistral and Qwen with vLLM on GPU servers in German data centres. No API calls to US providers, no US jurisdiction, no training on your data.
What to check
- Who is the provider's parent company, and in which country?
- Which models run where? Open weights self-hosted, or an API to a US service?
- Is there a processing record, an audit log and a clear deletion strategy?
- Is compliance designed as architecture, or bolted on as a sticker?