Data Sovereignty
GDPR-compliant is not
automatically data-sovereign.
As long as prompts flow to OpenAI, Anthropic Claude, or Google Gemini, even the best EU hosting won't help. Data sovereignty is a question of jurisdiction, not server location.
Schrems II
The CJEU set the bar
five years ago.
Anyone transferring personal data to a third country must guarantee an essentially equivalent level of protection. US law cannot. The CLOUD Act forces US providers to hand data over to US authorities, even when the servers sit in Frankfurt or Dublin.
Claims vs. reality
What vendors say ,
and what really applies.
Three claims you'll hear across the AI market, and what they actually mean legally.
What vendors advertise
„We're GDPR compliant", secured via Standard Contractual Clauses (SCCs)
Since Schrems II, SCCs only hold up if backed by additional technical and organisational measures. The CLOUD Act overrides those contracts, since US law trumps the contractual promise.
„EU frontend, OpenAI / Claude / Gemini in the backend", supposedly „compliant by design"
Doesn't matter how European the frontend is hosted: every prompt, attachment, and response flows through OpenAI (US), Anthropic (US), or Google (US). Azure OpenAI, Bedrock, and Vertex AI don't change that, the model providers remain US LPs and therefore CLOUD-Act-bound.
„Based on the EU-US Data Privacy Framework (DPF)"
The DPF has been formally valid since 2023, but structurally fragile. NOYB is preparing „Schrems III". In January 2025, Trump removed quorum from the Data Protection Review Court that backstops the DPF.
The core problem
Two rulings,
three US model providers.
Schrems II and the CLOUD Act set the legal frame. The AI model market sharpens it: three US corporations dominate, and every prompt lands at one of them.
Schrems II (CJEU C-311/18, 16 July 2020)
The CJEU invalidated the EU-US Privacy Shield. Reasoning: US mass surveillance (FISA 702, Executive Order 12333) gives data subjects no effective legal redress. Third-country transfers require an „essentially equivalent" level of protection, which US law structurally cannot deliver.
US CLOUD Act (2018)
Forces US providers to hand over data on demand from US authorities, regardless of where the data sits. Even if your AWS server is in Frankfurt: the US Department of Justice can compel access. The CLOUD Act directly conflicts with Art. 48 GDPR.
Model APIs: OpenAI, Anthropic, Google
OpenAI, Anthropic (Claude), and Google (Gemini) all sit in California and are subject to US law. Azure OpenAI, AWS Bedrock, and Vertex AI don't change that, the model providers remain the responsible legal entity. Every API call flows through their control. „Zero data retention" and SOC 2 don't replace jurisdiction.
Outlook 2026
Why the situation is getting worse,
not better.
Three developments any serious compliance officer should know.
DPF on shaky ground
In September 2025, the EU General Court dismissed a first challenge (Latombe). But NOYB has a broader, well-grounded „Schrems III" complaint in preparation, and Schrems has already taken down two predecessor agreements at the CJEU.
Trump is dismantling the DPF foundation
In January 2025, Trump fired Democratic members of the Data Protection Review Court, leaving it without quorum. The Executive Order the DPF rests on can be revoked at any time.
EU Data Act tightens the screw
Applicable since September 2025. Chapter VII obliges cloud providers to take technical, legal and organisational measures against unlawful access by non-EU authorities. Regulation is moving clearly toward real sovereignty.
Our answer
100% European stack ,
no US provider in the data path.
We built Wunder so the Schrems II question never arises. No CLOUD Act risk, no „but the DPF protects us" wishful thinking.
Hosting
Hostinger, Scaleway, Stackit, European providers with European data centres. No AWS, no Azure, no GCP.
AI models
Mistral (France) and open-weights models like GPT-OSS, Qwen, or Llama, operated on European infrastructure, with no calls to OpenAI, Anthropic Claude, or Google Gemini. No US provider in the default inference path.
Subprocessors
Full subprocessor list transparent in the Trust Center. All EU-based, without SCCs as a crutch against the CLOUD Act.
Evidence
This page is sourced.
Here's the material.
Drawn from publicly available rulings, regulator publications, and legal commentary.
- CJEU, judgment C-311/18 („Schrems II"), 16 July 2020, EUR-Lex
- BfDI, Implications of the Schrems II ruling
- DLA Piper, EU-US Data Privacy Framework Survives First Challenge (September 2025)
- NOYB, EU-US Data Transfers: Time to prepare for more trouble
- Heuking, Use of US Cloud Providers under the Trump Administration
This page is not legal advice. It summarises publicly available sources to make the data sovereignty debate easier to follow.
Ready for AI
without CLOUD Act risk?
Talk to us. We'll walk you through the full data path, servers, models, subprocessors, in detail.