Version 1.0 — Published 2026-05-11

EuroComply Sovereignty Disclosure

A public, dated, machine-readable record of every component in EuroComply's stack and its CLOUD Act exposure.

EU-hosted infrastructure by default. Mixed aggregate score — see table for per-vendor detail.

Last reviewed: 2026-05-11

What is EuroComply's sovereignty posture?

This page is the source of truth for EuroComply's data sovereignty claims. It is versioned, dated, and cross-referenceable with the CLOUD Act Exposure Score methodology published at /cloud-act-scores/methodology. Each row in the stack table below identifies a specific vendor, its legal jurisdiction, the physical location of data it handles, and the CLOUD Act Exposure Score (0–100) for that component. Scores are calculated using the five-factor weighted model described in the methodology. Version 1.0 is frozen: no inputs, weights, or tier boundaries will change without issuing v1.1 with a full migration changelog. Material vendor changes — such as switching cloud providers or registrars — will trigger a version bump and a new “Last reviewed” date. The prior version will be preserved at /sovereignty/v1.

Stack Disclosure

9 components. Production data layers (LLM, Database, Hosting, Payments) weighted 2× in the aggregate.

LLM

Compliance chat

8Sovereign

Vendor: Mistral AI

HQ: Paris, France

Jurisdiction: French SAS

Data residency: Paris + EU only

French SAS, EU-only inference, no US parent entity.

Database

Production Postgres

38Mixed

Vendor: Supabase

HQ: Frankfurt, Germany (project); Singapore Pte Ltd (HQ)

Jurisdiction: Singapore Pte Ltd with EU project hosted in AWS Frankfurt

Data residency: Frankfurt, Germany

Supabase HQ is Singapore-incorporated, not EU. AWS Frankfurt provides EU physical residency but the infrastructure operator (AWS) is US-jurisdiction. Score reflects the layered exposure.

Hosting

Web frontend

45Mixed

Vendor: Vercel

HQ: San Francisco, USA

Jurisdiction: US Inc (Delaware)

Data residency: Frankfurt (Europe Sovereign region)

EU Frankfurt region available and in use; however Vercel Inc is Delaware-incorporated and subject to US jurisdiction. CLOUD Act exposure is theoretically present via the US parent.

Transactional + nurture

10Sovereign

Vendor: Brevo (Sendinblue)

HQ: Paris, France

Jurisdiction: French SAS

Data residency: Paris

French SAS incorporated in Paris, EU-only data processing, no US parent or US subsidiary with system access.

Payments

Subscriptions

35Mixed

Vendor: Paddle

HQ: London, UK

Jurisdiction: UK Ltd

Data residency: UK + EU regions

Post-Brexit UK. UK adequacy decision still in place as of 2026-05-11. Not US-jurisdiction. Paddle acts as Merchant of Record, holding customer payment data under UK law rather than EU law directly.

Analytics

Privacy-respecting analytics

5Sovereign

Vendor: Plausible

HQ: Tallinn, Estonia

Jurisdiction: Estonian OÜ

Data residency: Tallinn, Estonia

Estonian OÜ, EU-only infrastructure, no cookie, no personal data, no US parent entity.

Workflow automation

n8n automation

10Sovereign

Vendor: n8n.io GmbH

HQ: Berlin, Germany

Jurisdiction: German GmbH

Data residency: Self-hosted on EU infrastructure by EuroComply

German GmbH. EuroComply self-hosts the n8n instance on EU servers — no SaaS cloud data transfer to n8n.io. German company law applies.

Domain registrar / DNS

DNS

70US-Dominant

Vendor: Cloudflare Registrar

HQ: San Francisco, USA

Jurisdiction: US Inc (Delaware)

Data residency: n/a (registry data only)

US-incorporated. Registry data (nameservers, WHOIS) held under US jurisdiction. Does not hold production customer data. Score would reduce materially with migration to a French or German registrar (OVHcloud, IONOS). This is a planned improvement.

Error tracking

Application errors

5Sovereign

Vendor: Self-hosted GlitchTip

HQ: n/a (own infrastructure)

Jurisdiction: n/a — EuroComply-operated

Data residency: EU servers (EuroComply-controlled)

Open-source GlitchTip self-hosted by EuroComply on EU infrastructure. No third-party vendor receives error data. EuroComply is the sole data controller.

Layer	Component	Vendor	HQ	Jurisdiction	Data residency	Exposure	Reason
LLM	Compliance chat	Mistral AI	Paris, France	French SAS	Paris + EU only	8/100Sovereign	French SAS, EU-only inference, no US parent entity.
Database	Production Postgres	Supabase	Frankfurt, Germany (project); Singapore Pte Ltd (HQ)	Singapore Pte Ltd with EU project hosted in AWS Frankfurt	Frankfurt, Germany	38/100Mixed	Supabase HQ is Singapore-incorporated, not EU. AWS Frankfurt provides EU physical residency but the infrastructure operator (AWS) is US-jurisdiction. Score reflects the layered exposure.
Hosting	Web frontend	Vercel	San Francisco, USA	US Inc (Delaware)	Frankfurt (Europe Sovereign region)	45/100Mixed	EU Frankfurt region available and in use; however Vercel Inc is Delaware-incorporated and subject to US jurisdiction. CLOUD Act exposure is theoretically present via the US parent.
Email	Transactional + nurture	Brevo (Sendinblue)	Paris, France	French SAS	Paris	10/100Sovereign	French SAS incorporated in Paris, EU-only data processing, no US parent or US subsidiary with system access.
Payments	Subscriptions	Paddle	London, UK	UK Ltd	UK + EU regions	35/100Mixed	Post-Brexit UK. UK adequacy decision still in place as of 2026-05-11. Not US-jurisdiction. Paddle acts as Merchant of Record, holding customer payment data under UK law rather than EU law directly.
Analytics	Privacy-respecting analytics	Plausible	Tallinn, Estonia	Estonian OÜ	Tallinn, Estonia	5/100Sovereign	Estonian OÜ, EU-only infrastructure, no cookie, no personal data, no US parent entity.
Workflow automation	n8n automation	n8n.io GmbH	Berlin, Germany	German GmbH	Self-hosted on EU infrastructure by EuroComply	10/100Sovereign	German GmbH. EuroComply self-hosts the n8n instance on EU servers — no SaaS cloud data transfer to n8n.io. German company law applies.
Domain registrar / DNS	DNS	Cloudflare Registrar	San Francisco, USA	US Inc (Delaware)	n/a (registry data only)	70/100US-Dominant	US-incorporated. Registry data (nameservers, WHOIS) held under US jurisdiction. Does not hold production customer data. Score would reduce materially with migration to a French or German registrar (OVHcloud, IONOS). This is a planned improvement.
Error tracking	Application errors	Self-hosted GlitchTip	n/a (own infrastructure)	n/a — EuroComply-operated	EU servers (EuroComply-controlled)	5/100Sovereign	Open-source GlitchTip self-hosted by EuroComply on EU infrastructure. No third-party vendor receives error data. EuroComply is the sole data controller.

Weighted aggregate score

/100

Mixed tier

Weighted average across 9 stack components. Production data layers (LLM, Database, Hosting, Payments) counted at 2× weight. Lower is better. Methodology: /cloud-act-scores/methodology.

Weighted sum: (8×2)+(38×2)+(45×2)+(10×1)+(35×2)+(5×1)+(10×1)+(70×1)+(5×1) = 352

Total weight units: 13 · 352 ÷ 13 = 27 (rounded)

Verification Methodology

Each claim in this disclosure is verifiable against a public primary source. EuroComply does not accept vendor self-attestation without a corroborating public record. The following primary sources were used to verify each component:

Mistral AI — French commerce register — Pappers / Infogreffe (SIREN 952223452)
Supabase — ACRA Singapore commercial register (UEN 202127121H); AWS Frankfurt (eu-central-1) region disclosure
Vercel — Delaware Secretary of State / SEC filings; Vercel EU region documentation
Brevo (Sendinblue) — Infogreffe / Pappers FR (SIREN 498774127)
Paddle — UK Companies House (Company No. 07430028); UK adequacy decision (Commission Implementing Decision (EU) 2021/1772)
Plausible — Estonian Business Register (Reg. 14709282)
n8n.io GmbH — Handelsregister Berlin-Charlottenburg (HRB 226969 B)
Cloudflare Registrar — Delaware SoS / SEC EDGAR; Cloudflare Inc 10-K filing
Self-hosted GlitchTip — Self-attested; GlitchTip source code publicly auditable at gitlab.com/glitchtip/glitchtip-backend

What we explicitly avoid

The following vendors are not used anywhere in the EuroComply stack for production data handling, as of the date of this disclosure:

AWS (direct — except as Supabase dependency)Google CloudMicrosoft AzureOpenAI (US)Anthropic (US)Stripe (US)Auth0 (US)Datadog (US)Segment (US)Twilio (US)SendGrid (US)LaunchDarkly (US)PagerDuty (US)

Note: EuroComply's compliance chat uses Mistral AI (French SAS), not OpenAI or Anthropic. Authentication is handled natively by Supabase Auth (Frankfurt project), not Auth0 or Clerk. Error tracking is self-hosted GlitchTip, not Sentry or Datadog.

Versioning and Change Log

Version	Published	Changes
v1.0	2026-05-11	Initial frozen publication. 9 stack components, weighted aggregate score, 4-tier classification.

This disclosure is frozen at v1.0. The changelog is maintained in git history: github.com/eurocomply/sovereignty-disclosure

Material changes to this disclosure — defined as a vendor change, jurisdiction change, or data residency change for any component — trigger a version bump. v1.1+ will preserve v1.0 at /sovereignty/v1. Cosmetic corrections (typos, formatting) may be made within the current version with an updated “Last reviewed” date.

Next step — compare

Read our sovereignty disclosure

Score your vendor stack against EuroComply's CLOUD Act exposure methodology — free, no signup.

Read our sovereignty disclosure