Data Residency
Where your data lives, how it moves, and why that matters for DORA, EIOPA, EU AI Act, and BaFin / BSI requirements.
๐ช๐บ Default EU Residency
All production customer data is stored and processed in Google Cloud region europe-west3 (Frankfurt, Germany).
No customer data is transferred outside the EEA in the normal course of operations.
1. What is stored where
| Data category | Primary location | Backup location |
|---|---|---|
| Account data, billing | Frankfurt (europe-west3) | Belgium (europe-west1) โ cross-region snapshot |
| Agent submissions (endpoint configs, system prompts) | Frankfurt | Belgium |
| Audit reports & certificates (hash-chained) | Frankfurt | Belgium + customer-exportable archive |
| Telemetry (pathology vectors from SDK) | Frankfurt โ aggregated, PII-scrubbed on client | Belgium |
| Model artefacts (open-weight) | Frankfurt (Cloud Storage) | Hugging Face EU mirror when available |
| Static assets (this website) | Cloudflare EU edge nodes | Cloudflare global edge |
2. What never leaves your infrastructure
The NAIL SDK is architected on a "Physics, Not Plaintext" principle (read more):
- Raw prompts, conversations, and tool outputs are never transmitted off-host.
- Pathology vectors (entropy, token kinetics, schema deltas) are computed locally in your VPC.
- System prompts are compared against semantic hashes you generate before ingestion โ we never see plaintext.
- When content must be inspected for Layer-3 evaluation, local Microsoft Presidio scrubbing replaces all PII with generic tokens before any evaluation.
3. Regulatory alignment
- DORA (Regulation EU 2022/2554) โ ICT third-party risk: EU-resident data; documented RTO 4 h / RPO 15 min; exit plan on request.
- EU AI Act (Regulation EU 2024/1689) โ high-risk AI systems: EU-resident logs supporting Art. 12 record-keeping and Art. 14 human oversight.
- GDPR (Regulation EU 2016/679) โ lawful basis and Art. 44 compliance: no transfer of personal data outside the EEA in the normal course; SCCs for residual flows.
- BaFin BAIT / MaRisk โ for German financial-services customers: outsourcing notifications ready on request; Annex III sub-processor list.
- Solvency II โ for insurer customers: SCR operational-risk module supported with auditable evidence packs.
4. Enterprise options
- Customer-managed encryption keys (CMEK): bring-your-own-key via Google Cloud KMS.
- Single-tenant deployment: dedicated GCP project in
europe-west3. - Private endpoint: Google Private Service Connect to your VPC.
- Sovereign cloud option: Google Cloud Sovereign Controls (S3NS for France, partner operator) โ roadmap Q3 2026.
5. Engineering & support access
Engineering and customer-support personnel are located in the United Kingdom. Access to production data is:
- Logged to an append-only audit trail (SHA-256 hash-chained);
- Gated through Google Cloud IAM with mandatory 2FA and session recording;
- Governed by the UK โ EU data-transfer mechanisms in the DPA (UK IDTA Addendum to EU SCCs).
6. Attestations & roadmap
- ISO 27001: audit in progress (target Q4 2026).
- SOC 2 Type II: audit in progress (target Q4 2026).
- ISO 42001 (AI management systems): self-assessment complete, certification audit scheduled Q1 2027.
- TISAX (automotive): on roadmap pending customer demand.
Version 1.0 ยท April 2026