EU Data Sovereignty
Sovereign by design.
Hosted in the Netherlands. Powered by Mistral and local models. Beyond the reach of the US CLOUD Act and any foreign authority, because compliance alone was never enough.
Hosted in the EU, and only the EU
Our infrastructure stays inside the Union, on European providers. No US clouds means no US company in the path, and no foreign authority it could answer to.
An EU-only model stack
We build on Mistral and local, open-weight models. Your data is never sent to US AI providers, and never used to train someone else’s model.
Out of reach of foreign authorities
Because no US company sits between you and your data, there is no CLOUD Act warrant or FISA order that can compel its disclosure. Your data answers to you, and to European law alone.
Compliance, and then some
GDPR, NIS2 and the EU AI Act are built in. But compliance is only the floor: a US provider can be bound by the GDPR and still be compelled under US law. We remove that conflict at the root.
Why it matters
Compliance is the floor, not the ceiling.
Where your data sits is not the same as who can reach it. Data held in a European data centre is not truly European if a US company operates it: under the US CLOUD Act, a US-headquartered provider can be compelled to hand over data wherever in the world it is stored, and FISA 702 permits surveillance with no notice and no realistic way to object. The “sovereign cloud” labels offered by US firms do not change those obligations.
This is why compliance alone is not protection. A US provider serving European customers is bound by the GDPR and, at the same time, compellable under US law, a conflict it cannot contract away. The largest providers have acknowledged, under oath, that they cannot guarantee European data will never be handed to US authorities.
We remove the exposure at its source. Because infrastructure, models and data stay with European parties only, there is no foreign company in the path and no foreign law that reaches it. That is what “sovereign by design” means, not a promise added at the end, but a property of how the system is built.
The CLOUD Act, precisely
Why a US provider can always be compelled, wherever your data sits.
This is not a worst-case scenario or a talking point. It is how US law is written. Here is exactly what it says, and why a contract cannot switch it off.
It is US law, and explicit about location.
The CLOUD Act (2018) added 18 U.S.C. § 2713 to the Stored Communications Act. It requires a provider to disclose data in its “possession, custody, or control”, and, in the statute’s own words, “regardless of whether” that data “is located within or outside of the United States.” Where the server stands is, by design, irrelevant.
It follows the company, not the building.
The duty binds any provider subject to US jurisdiction: companies incorporated in the US, and foreign companies with meaningful US operations (“minimum contacts”). An EU data centre run by such a company is still within reach.
“Control” means being able to get the data, not holding it.
US courts read “possession, custody, or control” broadly: it is enough that a company has the practical ability or legal right to obtain the data. A US parent that can instruct its European subsidiary to hand data over is treated as controlling it, even if the data never physically leaves Europe.
A contract cannot override a statute.
Data-residency clauses, standard contractual clauses, “EU data boundary” and “sovereign cloud” programmes are private agreements. They limit which staff touch data day to day; they do not remove the legal duty to obey a valid US order. The EU’s own regulators (EDPB and EDPS) found such contracts have no force against US judicial or administrative demands.
For EU data, there is no escape hatch.
A provider may ask a US court to quash an order only when it would break the law of a country that has signed a CLOUD Act “executive agreement” with the US. The EU has none. So an EU customer gets neither that protection nor any notice, and the provider is left choosing between a US order and the GDPR.
Surveillance law reaches further still.
Separately from law enforcement, FISA Section 702 and Executive Order 12333 let US intelligence compel data from US providers, typically under a gag order, with no notice to the customer. These are the powers that led the EU Court to strike down the Privacy Shield in Schrems II.
“No, I cannot guarantee that.”
The legal power to compel your data exists, applies wherever it sits, and cannot be contracted away. It disappears only when no US-jurisdiction company is anywhere in the path, which is exactly how Vivaldi is built.
A US-jurisdiction provider, and Vivaldi.
| A US-jurisdiction provider | Vivaldi | |
|---|---|---|
| Who can compel your data | US authorities (CLOUD Act, FISA 702, EO 12333) | Only a European court, under European law |
| Does an EU data centre help | No, the duty follows the company, not the server | Yes, and no US company sits in the path |
| Can a contract stop it | No, a statute overrides private agreements | Nothing to override, no foreign law applies |
| Will you be notified | Often not, orders can carry a gag order | Yes, access only through a process you can see |
| Which law governs your data | US and EU law, in conflict | EU law alone (GDPR, NIS2, EU AI Act) |
Sovereignty you can verify.
We’ll show you exactly where your data lives, who can and cannot reach it, and which models run.