May 1, 2026 6 min read
EU data residency for AI — what it concretely means, which vendors deliver
EU data residency is the key to GDPR-compliant AI. Which LLMs and cloud platforms really deliver in 2026 — and what to watch for in the contract.
- gdpr
- ai
- eu-hosting
- schrems-ii
- data-protection
- mid-market
Why EU data residency isn’t negotiable
If you want to integrate AI cleanly in the mid-market, EU data residency is the single most important architecture decision. Not the model choice (GPT vs Claude vs Mistral), not the platform choice (Zoho vs Odoo) — the data region.
Background: The CJEU struck down the EU-US Privacy Shield with the Schrems-II ruling (2020). Data transfer to the US is since only allowed with elaborate additional security mechanisms:
- Standard Contractual Clauses (SCCs) — bilateral contracts between EU controller and US vendor
- Transfer Impact Assessment (TIA) — risk analysis per data category
- Additional encryption or pseudonymization measures — when the TIA reveals risks
It’s doable, but:
- Effortful — one TIA per AI vendor, to be reviewed with data protection officer
- With residual risk — supervisory authorities can assess individual cases differently
- Politically unstable — Schrems III is already in preparation, the EU-US Data Privacy Framework (2023) is being challenged again
Pragmatic alternative: Contractually guarantee EU data residency. When data doesn’t leave the EU, there’s no Schrems problem. Period.
Which LLM vendors really deliver EU residency
| Vendor | EU region | DPA available | Surcharge vs US | Mate iT experience |
|---|---|---|---|---|
| Mate iT EU hosting | Mate iT-operated EU infrastructure | ✅ DPA out of the box | Service pricing | Our own hosting solution — open-source LLMs (Mistral, Llama 3.1, Mixtral) on Mate iT-operated EU infrastructure. No US vendor, no self-hosting DevOps overhead. |
| Mistral | Paris (native) | ✅ Standard | — (EU-native) | In production, good capability for mid-market use cases |
| Aleph Alpha (Luminous) | Heidelberg/Cologne | ✅ Standard | — (EU-only) | Niche, when German sovereignty requirement exists |
| Anthropic Claude | AWS-EU region (Frankfurt) | ✅ Enterprise tier | ~10–15 % | Strong for reasoning, long-context, contract analysis |
| OpenAI Enterprise | Azure-EU (Frankfurt) | ✅ Enterprise | ~15–20 % | Standard setup for standard use cases |
| Google Vertex AI (Gemini) | europe-west (Belgium) | ✅ Enterprise | ~5–10 % | Strong for multimodal (image/video) |
| Microsoft Copilot | Azure-EU | ✅ via M365 | in bundle | When M365 already in place, obvious choice |
| Self-Hosted (Ollama, vLLM) | own infrastructure | n/a (no vendor) | only hosting costs | Maximum sovereignty, but DevOps effort |
Not on the list because no real EU residency:
- ChatGPT Free / Plus / Team — US region, no Enterprise DPA
- Anthropic standard API without Enterprise contract — US default
- Open-source LLM apps (Perplexity, You.com) — mostly US backend
- LinkedIn Sales Navigator AI, HubSpot AI — US backend
What must be in the contract
When an AI vendor promises “EU data residency”, check these five points explicitly:
1. Processing region — where does the LLM inference run? Must be named in the contract (e.g., “AWS eu-central-1 (Frankfurt)”).
2. Storage region — where are logs, caches, backups stored? Must also be EU. Common mistake: processing EU, but backups in US region.
3. Sub-processors — does the vendor itself use cloud services? OpenAI uses Azure, Anthropic uses AWS, Mistral hosts itself. Sub-processors all must have EU region.
4. Maintenance access — can the vendor technically access your data from outside the EU? Standard T&Cs of US vendors allow this. With real EU setups, excluded.
5. Data deletion — when are queries and answers definitively deleted? Standard is 30 days logging for error analysis, then auto-delete. If not in the contract or “indefinitely” — hands off.
Mate iT EU hosting — open-source LLMs on our own infrastructure
From 400+ mid-market projects we’ve learned: many controllers want the sovereignty of self-hosted setups, but they have neither the DevOps capacity nor the appetite to manage GPU servers, model updates, and compliance monitoring. Mate iT EU hosting closes exactly this gap.
What it is:
- Own EU infrastructure — physically operated in German and Austrian data centers, no US vendor in the stack, no third-country data-transfer question
- Open-source models — Mistral 8x22B, Llama 3.1 70B, Mixtral, plus specialized models for use cases like contract analysis, code generation, OCR
- DPA out of the box with Mate iT GmbH as data processor — one contract, no ping-pong between vendor, cloud, sub-processor
- DevOps stays with us — model updates, security patches, scaling, monitoring run on our side. You use the API.
- Service pricing — no token-based hidden costs, but clearly calculable monthly rates depending on usage volume
Technically this is a hybrid of Pattern B (self-hosted) and Pattern C (EU-hosted API): you get the sovereignty of self-hosted with the setup convenience of a commercial API. For mid-market companies with ISO 27001, BAFIN, or KRITIS in mind but no internal AI engineering capacity, this is often the clean answer.
We offer this as an add-on to our ERP implementation projects — most often combined with Odoo setups (see /en/blog/dsgvo-ki-odoo), but also stand-alone when an existing ERP stack is in place and only the AI layer needs to be added.
Mate iT recommendation matrix
| Use case | Recommendation |
|---|---|
| Standard mid-market (helpdesk, CRM, accounting) | Mistral or Anthropic Claude (EU-AWS) — good capability, clear GDPR story |
| Very German-centric use cases (HR, defense, public administration) | Aleph Alpha — politically clean, slightly less capability but uncritical |
| Multimodal (image/video analysis) | Google Vertex (Gemini) with europe-west — strongest multimodal model with EU residency |
| M365 stack in place | Microsoft Copilot with Azure-EU — obvious, DPA already part of M365 contract |
| Sovereignty without DevOps capacity | Mate iT EU hosting — open-source LLMs on our infrastructure, DPA with Mate iT GmbH, no US vendor in the stack |
| Maximum sovereignty (KRITIS, BAFIN, ISO 27001 strict reading) | Self-hosted Ollama + open-source model on your infrastructure — no vendor dependency, but DevOps effort on your side |
Most common mistake during contract review
“Standard contract, all covered, EU region included, DPA signed — check.” Sounds OK, but: EU region configuration must be actively done, not by default.
Example OpenAI: the Enterprise tier has EU region as an option, but default is US. If the OpenAI admin console hasn’t been explicitly switched to “Frankfurt”, everything runs through US region despite the contract. We check this at every AI setup as the first step — admin-console screenshot with activated EU region as evidence.
The same applies to Microsoft Azure OpenAI Service, Google Vertex AI, AWS Bedrock. Default is US, EU must be actively configured.
Pillar overview
More on the GDPR-AI architecture as a whole: /en/blog/dsgvo-ki-mittelstand. Platform-specific patterns: /en/blog/dsgvo-ki-zoho, /en/blog/dsgvo-ki-odoo. AI services at Mate iT: /en/leistungen/ki-agenten.
Frequently asked questions
What concretely counts as EU data residency? +
Three conditions must all be met: (1) processing physically takes place in an EU data center (Frankfurt, Amsterdam, Dublin, Paris, etc.). (2) Storage of data and backups also EU region. (3) No technical access from outside the EU — not even for maintenance, monitoring, support. Contractually the vendor must guarantee all three points. If only the processing is EU but backups are in the US — no real residency.
Which LLM vendors have real EU data residency in 2026? +
Mistral (French, EU-native, all data EU), Aleph Alpha (German, EU-only), Anthropic Claude via AWS-EU region (with Enterprise contract), OpenAI Enterprise with Frankfurt region (available since 2024), Google Vertex AI with europe-west region (Belgium/Frankfurt). Microsoft Azure OpenAI Service with West-Europe region. Not: ChatGPT Free or Plus — that's always US region, no Enterprise DPA. Not: standard Anthropic API without Enterprise contract.
What is Schrems-II and why is it important for AI setups? +
Schrems-II is a CJEU ruling from 2020 that struck down the EU-US Privacy Shield. Data transfer to the US is since only allowed with additional security mechanisms — Standard Contractual Clauses (SCCs) plus Transfer Impact Assessment (TIA) plus possibly encryption measures. It's doable, but complex and with residual risk. EU data residency avoids the entire complex: when data doesn't leave the EU, there's no Schrems-II problem.
How much more expensive is EU region compared to US region? +
With the major LLM vendors (OpenAI, Anthropic, Google) typically 0–20 % surcharge for EU region. Mistral and Aleph Alpha have no US comparison price (they're EU-native). The price difference is irrelevant against the Schrems-II risk. We reject setups that can't guarantee EU region — the surcharge is compliance insurance.
Cluster
Keep reading
Other articles in the same topic cluster.
- Nº 01 Pillar
GDPR-compliant AI in the Mid-Market — Architecture Guide
GDPR-compliant AI in the mid-market 2026: architecture patterns, platform setups, and the most common mistakes — from 400+ Mate iT implementations.
Read article - Nº 02
GDPR-compliant AI with Odoo — self-hosted, custom LLM, full data sovereignty
Odoo offers the greatest flexibility in AI integrations — up to self-hosted LLMs on your own infrastructure. When this is the right architecture, what it costs, and how Mate iT typically sets it up.
Read article - Nº 03
GDPR-compliant AI with Zoho — Zia, EU data center, DPA out of the box
Zoho One brings its AI component Zia directly with it — including EU data center in Amsterdam and standard DPA. The GDPR question is largely solved before the setup even begins. What that means in practice.
Read article