The real test is jurisdiction, not where the server stands
Many vendors point to data centres in Germany and call that sovereign. But data residency and sovereignty are not the same question. What matters is which law binds the operator. A provider under US jurisdiction falls under the CLOUD Act of 2018. It compels US companies to hand over data even when that data physically sits in Frankfurt. Server location alone does not protect against this.
The European legal picture reinforces the point. The Schrems II ruling of 2020 sharply restricted data transfers to the United States, and the EU Data Act, in force from 2025, adds further obligations around data access and provider switching. Anyone running AI in a regulated sector needs a technical answer to this, not only a contractual one.
That is why we build a stack with no US dependency. Open-weight models such as Teuken-7B from the Fraunhofer-led OpenGPT-X project, Mistral and Qwen run on our own servers in Germany, served through the vLLM inference engine. No US cloud, no US API by default. Your data stays with you or inside our EU infrastructure. This is data sovereignty, not ownership of the software.
We stay honest about the limits. On-premise deployment does not by itself produce GDPR compliance. The GDPR, the EU AI Act, BSI IT-Grundschutz and the ISO 27001 and ISO 42001 standards are the framework we implement for you, technically and organisationally, for public authorities, healthcare and law firms. Beyonetix holds none of these certifications and claims none. We build the conditions; the certification rests with you and your auditor.