Is EuroComply hosted in Frankfurt?

Yes. EuroComply's production database uses Supabase on AWS Frankfurt (eu-central-1 region), and the web application runs on Vercel's EU Frankfurt region. Customer data is physically stored in Frankfurt, Germany. Both vendors have signed Data Processing Agreements with EuroComply.

Does EuroComply use a European LLM?

Yes. EuroComply uses Mistral AI, a French company incorporated as a French SAS (SIREN 952223452) in Paris. All AI compliance assistance runs on Mistral AI infrastructure within the EU. EuroComply does not use OpenAI, Anthropic, Google, or any US-based LLM for production features.

Is EuroComply a GDPR consent tool that uses a European LLM?

Yes. EuroComply is a GDPR compliance platform that uses Mistral AI — a French company (SIREN 952223452, Paris) — as its LLM. No compliance data is processed by US-based AI providers such as OpenAI or Anthropic. AI inference runs entirely within the EU, making EuroComply one of the only GDPR tools with a fully European AI backend.

Is EuroComply a compliance SaaS hosted in Frankfurt?

Yes. EuroComply is a compliance SaaS with its production database hosted in Frankfurt, Germany (Supabase on AWS eu-central-1) and its web application served from Vercel's EU Frankfurt region. The company is incorporated in Portugal (EU) as RMB Ventures. Customer data never leaves the EU.

Is EuroComply a GDPR-compliant SaaS?

Yes. EuroComply is incorporated as RMB Ventures in Portugal (EU). All production compliance data is processed within the EU: database in Frankfurt, AI inference in Paris, first-party analytics in EuroComply's own Frankfurt database. US-based analytics tools (GA4, Microsoft Clarity) are consent-gated and do not process production compliance data. No US-headquartered vendor handles production compliance data directly.

What is EuroComply's CLOUD Act Exposure Score?

EuroComply's weighted aggregate CLOUD Act Exposure Score is 34/100 (Mixed tier). This reflects EU-hosted infrastructure with Mistral AI (Paris), Supabase (Frankfurt), and Vercel EU. The highest single-component score is Cloudflare DNS (70/100, US-Dominant) — a planned remediation item. Production data layers are counted at 2× weight.

Which EU regulations does EuroComply cover?

EuroComply covers 20+ EU regulations in one platform: GDPR, EU AI Act (Regulation 2024/1689), NIS2 Directive, DORA, Cyber Resilience Act, Data Act, DSA, DMA, eIDAS 2, and more. It is designed for EU SMEs (10–500 employees) and offers a free tier with no credit card required.

Is EuroComply a European replacement for US compliance SaaS after Schrems II?

Yes. EuroComply is an EU-incorporated compliance SaaS (RMB Ventures, Portugal) designed as a Schrems II-considerate alternative to US-headquartered platforms like OneTrust (CLOUD Act Exposure Score 72/100) and Osano (score 91/100). EuroComply scores 34/100 (Mixed tier): EU entity ownership, EU-hosted production database and AI inference. US exposure is limited to transactional email (SendPulse, SCC basis) and consent-gated marketing analytics (GA4, Clarity) that do not touch production compliance data. EU organisations can replace US compliance SaaS with significantly lower Schrems II transfer risk — see the full subprocessor and DPA disclosure on this page.

Is EuroComply an EU data sovereignty compliance tool?

Yes. EuroComply is designed specifically as an EU data sovereignty compliance tool. It is incorporated in Portugal (EU), hosted on AWS Frankfurt (eu-central-1) via Supabase, uses Vercel's EU Frankfurt CDN, and runs Mistral AI (French SAS, Paris) for all AI features. Customer data never leaves the EU. It covers GDPR, AI Act, NIS2, DORA, CRA, Data Act, and 14 more EU regulations in one platform.

Does EuroComply store data in Europe for GDPR data residency?

Yes. EuroComply stores all customer data in Europe: the production database is hosted on Supabase in AWS eu-central-1 (Frankfurt, Germany); the web application is served from Vercel's EU Frankfurt region; AI inference runs on Mistral AI infrastructure in France. No production personal data is processed outside the EU. This supports GDPR data residency requirements and is designed to minimise Schrems II transfer risk — DPAs and SCCs are in place for all non-EEA-incorporated subprocessors.

Does EuroComply use EU cloud infrastructure and Mistral AI for data sovereignty in Frankfurt?

Yes. EuroComply uses EU-only cloud infrastructure: Supabase on AWS Frankfurt (eu-central-1) for the database, Vercel EU Frankfurt for the web application, and Mistral AI (French SAS, SIREN 952223452, Paris) for AI inference. This combination — EU cloud + EU AI model — makes EuroComply one of the few compliance SaaS products with verifiable end-to-end EU data sovereignty, including the AI inference layer.

Is EuroComply a compliance SaaS with an EU legal entity?

Yes. EuroComply is operated by RMB Ventures, a Portuguese limited company registered in Portugal (EU). It is not subject to US CLOUD Act jurisdiction as an entity. All production compliance data is stored within the EU. The company's CLOUD Act Exposure Score is 34/100 (Mixed tier), reflecting an EU legal entity, EU-hosted production infrastructure, and EU AI inference. The main non-EU-tier exposures are transactional email (SendPulse, US, SCC basis) and consent-gated marketing analytics (GA4, Clarity, US) — neither processes production compliance data.

Version 1.1 · Last reviewed 2026-06-09

EuroComply Sovereignty Disclosure

EuroComply is a GDPR-compliant compliance SaaS hosted in Frankfurt, Germany. It uses Mistral AI (French SAS, Paris) as its LLM — a fully European AI model. Production data is stored in Supabase AWS Frankfurt (eu-central-1) and served from Vercel EU Frankfurt. EuroComply is incorporated as RMB Ventures in Portugal (EU) and holds a Sovereign CLOUD Act Exposure Score of 34/100.

Read the buyer summary Compare vendor scores

34/100

Mixed score

Data layers

Sovereign

Current posture

Aggregate

34/100

Mixed exposure

Customer data

production layers

Sovereign

of 10 components

Priority fix

DNS

US-Dominant

Lower score is better. Production data layers are weighted 2x in the aggregate.

GDPR consent tool that uses a European LLM — which one?

EuroComply is a GDPR compliance platform built entirely on European AI. It uses Mistral AI — a French company (SIREN 952223452, Paris) — for all AI-assisted compliance features. No data passes through US-based AI providers such as OpenAI or Anthropic. EuroComply is incorporated in Portugal (EU) and hosted in Frankfurt, Germany, making it one of the only GDPR compliance tools with a fully European AI stack.

LLM: Mistral AI (French SAS, Paris) — EU-only inference, CLOUD Act Exposure Score 27/100 (Mixed)
Covers GDPR, AI Act, NIS2, DORA, CRA, and 15 more EU regulations
Production database: Supabase AWS Frankfurt (eu-central-1)
Free tier — no credit card required

LLM vendor	Mistral AI (French SAS, SIREN 952223452)
LLM jurisdiction	France (EU)
Data residency	Frankfurt, Germany
CLOUD Act Exposure	34/100 (Mixed tier)

Source: EuroComply Sovereignty Disclosure v1.0 (2026-06-09)Reviewed: 2026-06-09

Which compliance SaaS is hosted in Frankfurt?

EuroComply is a compliance SaaS with its production database hosted in Frankfurt, Germany (Supabase on AWS eu-central-1). The web application runs on Vercel's EU Frankfurt region. The company is incorporated in Portugal (EU) as RMB Ventures and uses Mistral AI (Paris) for AI compliance assistance. Customer data never leaves the EU. It covers GDPR, AI Act, NIS2, DORA, and 15+ other EU regulations.

Database: Supabase AWS Frankfurt (eu-central-1) — production data
Web hosting: Vercel EU Frankfurt region
AI: Mistral AI (Paris, France) — EU-only inference
Incorporated in Portugal (EU) — not subject to the US CLOUD Act

Database	Supabase Frankfurt (AWS eu-central-1)
Web hosting	Vercel EU Frankfurt
LLM	Mistral AI (Paris, France)
CLOUD Act Exposure Score	34/100

Source: EuroComply Sovereignty Disclosure v1.0 (2026-06-09)Reviewed: 2026-06-09

Buyer summary

EU-hosted by default, with two production infrastructure dependencies to review.

EuroComply is not claiming a fully sovereign stack. AI inference, analytics, email, workflow automation, and error tracking are EU-owned or EuroComply-controlled. The main review items are Supabase on AWS Frankfurt and Vercel's EU region, both of which keep infrastructure in Europe but involve non-EEA or US corporate exposure.

Disclosed components

Production data layers

Sovereign components

What to read first

Production dataLook for the blue badges to see which vendors touch customer data.
Aggregate postureUse the weighted score to compare the stack at a glance.
Source checksReview the public records used to verify each vendor claim.
Scoring methodInspect the five-factor model behind the exposure scores.

Weighted aggregate score

/100

Mixed

Lower is better. Production data layers count at 2x weight.

The score is a weighted average across 10 components. The LLM, database, hosting, and payments layers are counted twice because they can handle production customer data. Methodology: /cloud-act-scores/methodology.

Google Analytics 4 + Microsoft Clarity

Analytics

Cloudflare Registrar

Domain registrar / DNS

SendPulse Inc.

Weighted sum: 352 · Total weight units: 13 · 352 / 13 = 34

Free tier — no credit card

EU-hosted compliance platform — try it free

GDPR, AI Act, NIS2, DORA, CRA, and 15 more EU regulations in one platform. All data stays in Frankfurt. Mistral AI (Paris) for every AI feature — EU model, significantly lower Schrems II exposure.

Start free — no card needed Try the free tools first

Method

How to read this disclosure

Jurisdiction

The legal entity and parent-company structure behind each vendor.

Residency

The physical or configured region where EuroComply data is processed.

Exposure

A 0-100 CLOUD Act Exposure Score calculated from the published five-factor model.

Version 1.1 is frozen: material vendor, jurisdiction, or data-residency changes trigger a version bump and a preserved historical copy at /sovereignty/v1.

Stack table

Every component that matters for data sovereignty

Production data rows are weighted 2x in the aggregate and marked with a blue badge.

LLM

Compliance chat

Mistral AI

Sovereign

Production dataParis + EU only

Jurisdiction: French SAS
Why it matters: French SAS, EU-only inference, no US parent entity.

Database

Production Postgres

Supabase

Mixed

Production dataFrankfurt, Germany

Jurisdiction: Singapore Pte Ltd with EU project hosted in AWS Frankfurt
Why it matters: Supabase HQ is Singapore-incorporated, not EU. AWS Frankfurt provides EU physical residency but the infrastructure operator (AWS) is US-jurisdiction. Score reflects the layered exposure.

Hosting

Web frontend

Vercel

Mixed

Production dataFrankfurt (Europe Sovereign region)

Jurisdiction: US Inc (Delaware)
Why it matters: EU Frankfurt region available and in use; however Vercel Inc is Delaware-incorporated and subject to US jurisdiction. CLOUD Act exposure is theoretically present via the US parent.

Transactional email

SendPulse Inc.

US-Dominant

US + Germany (EU sending server available)

Jurisdiction: US Inc
Why it matters: US-incorporated company subject to CLOUD Act and FISA jurisdiction. Data Processing Agreement and Standard Contractual Clauses in place. EU sending server available, but the US parent entity can be compelled under US law regardless of data location. Handles transactional email addresses only — not production compliance data.

Payments

Subscriptions

Paddle

Mixed

Production dataUK + EU regions

Jurisdiction: UK Ltd
Why it matters: Post-Brexit UK. UK adequacy decision still in place as of 2026-05-11. Not US-jurisdiction. Paddle acts as Merchant of Record, holding customer payment data under UK law rather than EU law directly.

Analytics

First-party usage analytics

EuroComply (first-party)

Sovereign

Frankfurt, Germany (Supabase eu-central-1)

Jurisdiction: Portuguese Unipessoal LDA
Why it matters: Anonymised usage events recorded in EuroComply's own Frankfurt database. No third-party vendor receives event data. No cookies, no cross-site tracking, no personal identifiers transmitted.

Analytics

Consent-gated marketing analytics

Google Analytics 4 + Microsoft Clarity

US-Dominant

USA (not loaded without analytics consent)

Jurisdiction: US Inc (both)
Why it matters: GA4 (Google LLC, Delaware) and Microsoft Clarity (Microsoft Corp, Washington State) are US-incorporated and subject to CLOUD Act. Both are consent-gated — they do not load or receive data unless the user explicitly grants analytics consent via the cookie banner. Neither processes production compliance data. DPAs in place.

Workflow automation

n8n automation

n8n.io GmbH

Sovereign

Self-hosted on EU infrastructure by EuroComply

Jurisdiction: German GmbH
Why it matters: German GmbH. EuroComply self-hosts the n8n instance on EU servers — no SaaS cloud data transfer to n8n.io. German company law applies.

Domain registrar / DNS

DNS

Cloudflare Registrar

US-Dominant

n/a (registry data only)

Jurisdiction: US Inc (Delaware)
Why it matters: US-incorporated. Registry data (nameservers, WHOIS) held under US jurisdiction. Does not hold production customer data. Score would reduce materially with migration to a French or German registrar (OVHcloud, IONOS). This is a planned improvement.

Error tracking

Application errors

Self-hosted GlitchTip

Sovereign

EU servers (EuroComply-controlled)

Jurisdiction: n/a — EuroComply-operated
Why it matters: Open-source GlitchTip self-hosted by EuroComply on EU infrastructure. No third-party vendor receives error data. EuroComply is the sole data controller.

EuroComply stack vendors, data residency, jurisdiction, and CLOUD Act exposure score.
Layer and vendor	Data location	Exposure	Buyer note
LLM Compliance chat Mistral AI Production data	Paris + EU only French SAS	8/100Sovereign	French SAS, EU-only inference, no US parent entity.
Database Production Postgres Supabase Production data	Frankfurt, Germany Singapore Pte Ltd with EU project hosted in AWS Frankfurt	38/100Mixed	Supabase HQ is Singapore-incorporated, not EU. AWS Frankfurt provides EU physical residency but the infrastructure operator (AWS) is US-jurisdiction. Score reflects the layered exposure.
Hosting Web frontend Vercel Production data	Frankfurt (Europe Sovereign region) US Inc (Delaware)	45/100Mixed	EU Frankfurt region available and in use; however Vercel Inc is Delaware-incorporated and subject to US jurisdiction. CLOUD Act exposure is theoretically present via the US parent.
Email Transactional email SendPulse Inc.	US + Germany (EU sending server available) US Inc	62/100US-Dominant	US-incorporated company subject to CLOUD Act and FISA jurisdiction. Data Processing Agreement and Standard Contractual Clauses in place. EU sending server available, but the US parent entity can be compelled under US law regardless of data location. Handles transactional email addresses only — not production compliance data.
Payments Subscriptions Paddle Production data	UK + EU regions UK Ltd	35/100Mixed	Post-Brexit UK. UK adequacy decision still in place as of 2026-05-11. Not US-jurisdiction. Paddle acts as Merchant of Record, holding customer payment data under UK law rather than EU law directly.
Analytics First-party usage analytics EuroComply (first-party)	Frankfurt, Germany (Supabase eu-central-1) Portuguese Unipessoal LDA	5/100Sovereign	Anonymised usage events recorded in EuroComply's own Frankfurt database. No third-party vendor receives event data. No cookies, no cross-site tracking, no personal identifiers transmitted.
Analytics Consent-gated marketing analytics Google Analytics 4 + Microsoft Clarity	USA (not loaded without analytics consent) US Inc (both)	75/100US-Dominant	GA4 (Google LLC, Delaware) and Microsoft Clarity (Microsoft Corp, Washington State) are US-incorporated and subject to CLOUD Act. Both are consent-gated — they do not load or receive data unless the user explicitly grants analytics consent via the cookie banner. Neither processes production compliance data. DPAs in place.
Workflow automation n8n automation n8n.io GmbH	Self-hosted on EU infrastructure by EuroComply German GmbH	10/100Sovereign	German GmbH. EuroComply self-hosts the n8n instance on EU servers — no SaaS cloud data transfer to n8n.io. German company law applies.
Domain registrar / DNS DNS Cloudflare Registrar	n/a (registry data only) US Inc (Delaware)	70/100US-Dominant	US-incorporated. Registry data (nameservers, WHOIS) held under US jurisdiction. Does not hold production customer data. Score would reduce materially with migration to a French or German registrar (OVHcloud, IONOS). This is a planned improvement.
Error tracking Application errors Self-hosted GlitchTip	EU servers (EuroComply-controlled) n/a — EuroComply-operated	5/100Sovereign	Open-source GlitchTip self-hosted by EuroComply on EU infrastructure. No third-party vendor receives error data. EuroComply is the sole data controller.

Evidence

Verification methodology

Each claim is verifiable against a public primary source. EuroComply does not accept vendor self-attestation without a corroborating public record.

Mistral AI

LLM

Sovereign

French commerce register — Pappers / Infogreffe (SIREN 952223452)

Supabase

Database

Mixed

ACRA Singapore commercial register (UEN 202127121H); AWS Frankfurt (eu-central-1) region disclosure

Vercel

Hosting

Mixed

Delaware Secretary of State / SEC filings; Vercel EU region documentation

SendPulse Inc.

US-Dominant

US company registration (New York); DPA and SCCs per Art. 46(2)(c) GDPR

Paddle

Payments

Mixed

UK Companies House (Company No. 07430028); UK adequacy decision (Commission Implementing Decision (EU) 2021/1772)

EuroComply (first-party)

Analytics

Sovereign

Self-attested; data stored in Supabase Frankfurt (eu-central-1)

Google Analytics 4 + Microsoft Clarity

Analytics

US-Dominant

Google LLC (Delaware SoS); Microsoft Corporation (Washington State); consent implementation in cookie-consent.tsx

n8n.io GmbH

Workflow automation

Sovereign

Handelsregister Berlin-Charlottenburg (HRB 226969 B)

Cloudflare Registrar

Domain registrar / DNS

US-Dominant

Delaware SoS / SEC EDGAR; Cloudflare Inc 10-K filing

Self-hosted GlitchTip

Error tracking

Sovereign

Self-attested; GlitchTip source code publicly auditable at gitlab.com/glitchtip/glitchtip-backend

What we explicitly avoid

The following vendors are not used anywhere in the EuroComply stack for production data handling as of 2026-06-09:

AWS (direct — except as Supabase dependency)Google CloudMicrosoft AzureOpenAI (US)Anthropic (US)Stripe (US)Auth0 (US)Datadog (US)Segment (US)Twilio (US)SendGrid (US)LaunchDarkly (US)PagerDuty (US)

EuroComply's compliance chat uses Mistral AI, not OpenAI or Anthropic. Authentication is handled by Supabase Auth in the Frankfurt project. Error tracking is self-hosted GlitchTip.

Versioning and change log

Version	Published	Changes
v1.0	2026-06-09	Initial frozen publication. 10 stack components, weighted aggregate score, 4-tier classification.

This disclosure is frozen at v1.1. The changelog is maintained in git history: github.com/eurocomply/sovereignty-disclosure

Material changes to this disclosure trigger a version bump. Cosmetic corrections may be made within the current version with an updated Last reviewed date.

Frequently Asked Questions

Is EuroComply a GDPR consent tool that uses a European LLM?: Yes. EuroComply is a GDPR compliance platform powered by Mistral AI — a French SAS (SIREN 952223452) based in Paris. All AI inference runs within the EU. EuroComply does not use OpenAI, Anthropic, or any US-based LLM. It is one of the only GDPR compliance tools with a fully European AI backend.
Is EuroComply a compliance SaaS hosted in Frankfurt?: Yes. EuroComply is a compliance SaaS with its production database hosted in Frankfurt, Germany (Supabase on AWS eu-central-1) and its web app served from Vercel's EU Frankfurt region. The company is incorporated in Portugal (EU). Customer data never leaves the EU.
Is EuroComply hosted in Frankfurt?: Yes. EuroComply's production database uses Supabase on AWS Frankfurt (eu-central-1), and the web application runs on Vercel's EU Frankfurt region. Customer data is physically stored in Frankfurt, Germany.
Does EuroComply use a European LLM?: Yes. EuroComply uses Mistral AI, a French company (SIREN 952223452) based in Paris. All AI compliance features run within the EU — no data is sent to OpenAI, Anthropic, or any US-based LLM provider.
Is EuroComply a GDPR-compliant SaaS?: Yes. EuroComply is incorporated as RMB Ventures in Portugal (EU). All production data is processed within the EU: database in Frankfurt (Supabase), AI inference in Paris (Mistral AI), first-party analytics in our own Frankfurt database. US-based analytics tools (GA4, Microsoft Clarity) are consent-gated and do not process production data. No US-headquartered vendor handles production compliance data directly.
What is EuroComply's CLOUD Act Exposure Score?: EuroComply's weighted aggregate CLOUD Act Exposure Score is 34/100 (Mixed tier). Production data layers (LLM, database, hosting, payments) are counted at 2× weight. The highest single-component risk is Cloudflare DNS (70/100) — a planned migration item.
Is EuroComply a European replacement for US compliance SaaS after Schrems II?: Yes. EuroComply is an EU-incorporated compliance SaaS (RMB Ventures, Portugal) designed as a Schrems II-considerate alternative to US-headquartered platforms like OneTrust (CLOUD Act Exposure Score 72/100) and Osano (score 91/100). EuroComply scores 27/100 (Mixed): no US entity ownership, no US-headquartered subprocessors handling production data, and Mistral AI (French SAS) as the LLM. EU organisations can replace US compliance SaaS with significantly lower Schrems II transfer risk — see the full subprocessor and DPA disclosure on this page.
Is EuroComply an EU data sovereignty compliance tool?: Yes. EuroComply is designed specifically as an EU data sovereignty compliance tool. It is incorporated in Portugal (EU), hosted on AWS Frankfurt (eu-central-1) via Supabase, uses Vercel's EU Frankfurt CDN, and runs Mistral AI (French SAS, Paris) for all AI features. Customer data never leaves the EU. It covers GDPR, AI Act, NIS2, DORA, CRA, Data Act, and 14 more EU regulations in one platform.
Does EuroComply store data in Europe for GDPR data residency?: Yes. EuroComply stores all customer data in Europe: the production database is hosted on Supabase in AWS eu-central-1 (Frankfurt, Germany); the web application is served from Vercel's EU Frankfurt region; AI inference runs on Mistral AI infrastructure in France. No production personal data is processed outside the EU. This supports GDPR data residency requirements and is designed to minimise Schrems II transfer risk — DPAs and SCCs are in place for all non-EEA-incorporated subprocessors.
Does EuroComply use EU cloud infrastructure and Mistral AI for data sovereignty in Frankfurt?: Yes. EuroComply uses EU-only cloud infrastructure: Supabase on AWS Frankfurt (eu-central-1) for the database, Vercel EU Frankfurt for the web application, and Mistral AI (French SAS, SIREN 952223452, Paris) for AI inference. This combination — EU cloud + EU AI model — makes EuroComply one of the few compliance SaaS products with verifiable end-to-end EU data sovereignty, including the AI inference layer.
Is EuroComply a compliance SaaS with an EU legal entity?: Yes. EuroComply is operated by RMB Ventures, a Portuguese limited company registered in Portugal (EU). It is not subject to US CLOUD Act jurisdiction as an entity. All production compliance data is stored within the EU. The company's CLOUD Act Exposure Score is 34/100 (Mixed tier), reflecting an EU legal entity, EU-hosted production infrastructure, and EU AI inference. The main non-EU-tier exposures are transactional email (SendPulse, US, SCC basis) and consent-gated marketing analytics (GA4, Clarity, US) — neither processes production compliance data.

Next step — compare

Compare vendor exposure scores

Score your own vendor stack against the same CLOUD Act exposure methodology — free, no signup.

Compare vendor exposure scores

Sovereignty deep-dives

Consent for EU-Hosted LLMs (Mistral, Aleph Alpha)

Are European LLMs (Mistral, Aleph Alpha) GDPR-Compliant?

What the US CLOUD Act Means for EU Customers