Sovereignty & Provenance
Where your data lives, and who can touch it.
An EU-only data path, an append-only provenance ledger, and controls enforced in the database — not in a policy document.
The data path
Every step stays inside the EU.
01
Capture
Episodes are captured in the EU.
02
Processing
Annotation and QA run on EU infrastructure.
03
Storage
OVHcloud Paris (eu-west-par).
04
Delivery
Streamed to the customer, every access logged.
No US entity holds, processes, or can be compelled to disclose this data at any step.
Jurisdiction
What the law says. What the stack makes impossible.
GDPR Art. 48
Foreign judgments need an EU legal basis
The law
A judgment or decision of a third-country authority requiring the transfer or disclosure of personal data is recognised only if based on an international agreement. Without an EU legal basis, the order has no effect here.
Our stack
Our storage operator is a French-owned entity. There is no US parent anywhere in the chain of control for a foreign order to arrive through.
Schrems II — CJEU C-311/18, 16 July 2020
US surveillance law failed EU adequacy
The law
The Court of Justice of the EU invalidated the Privacy Shield framework, holding US surveillance law incompatible with EU adequacy requirements for personal data transfers.
Our stack
No US entity holds keys or credentials to this data. There is no US-side arrangement in the data path whose validity we depend on.
US CLOUD Act §103(a)
US providers can be compelled anywhere
The law
US providers can be compelled to disclose data in their possession, custody, or control — regardless of where in the world that data is stored.
Our stack
No US provider possesses or controls the data at any step. Payload access is gated by EU-issued stream tokens, and every access is logged.
The ledger
Auditable by construction, not by policy.
Every annotation and QA event writes to an append-only provenance ledger. Delivered bundles include the ledger extract for every episode they contain, and customers recompute the hash chain themselves — verifying our supply chain requires no trust in our word, only arithmetic.

Controls
Enforced in the database, not the application.
Streamed, never downloaded
Row-level security
For how this provenance chain maps to EU AI Act Article 10 obligations, see the data page.
Supply chain
What jurisdiction actually means.
| EU-sovereign supply chain | US-cloud supply chain | |
|---|---|---|
| Governing law | EU law and GDPR, end to end. | Subject to US CLOUD Act reach wherever a US entity controls the data. |
| Storage entity ownership | French-owned operator (OVHcloud); no US parent in the chain of control. | US-headquartered operators, regardless of the region a bucket sits in. |
| Disclosure compulsion | Disclosure requires EU legal process. | US authorities can compel disclosure from the US entity, including for data stored in the EU. |
| Audit mechanism | Cryptographic ledger — customers recompute the hash chain themselves. | Contractual assurance and vendor attestations. |
Put the claims in front of your lawyer.
Every statement on this page is true of the built platform and verifiable from a delivered bundle.
Request a pilot