Sovereignty & compliance
Sovereignty is proven, not proclaimed
Sovereignty is not our product: it is the framework that guarantees everything else. Everything we audit, build and operate fits within a framework that passes the audit — yours and the regulator’s. We break it down, document it, and make it verifiable.
The three legs
Concrete sovereignty
Sovereignty rests on three legs. If one is missing, the structure collapses.
The data
Location, governance and control of data: where it lives, who can access it, under which jurisdiction. No silent leakage to third-country jurisdictions.
The models
Independence from vendors: a reasoned choice between open and proprietary models, reversibility, no locked-in dependency.
The operation
Operation and accountability stay controlled and locatable: who operates, under which contract, under which applicable law.
The blind spot
The CLOUD Act argument
Data hosted in Europe by a company subject to US law can remain accessible to foreign authorities, regardless of GDPR. The CLOUD Act isn’t a legal detail: it’s a jurisdiction question that decides who can, ultimately, access your data. We address it explicitly, not by omission.
Compliance as a product
Four frameworks, kept alive
Compliance isn’t an end-of-project PDF. It’s a maintained, verifiable mechanism that withstands a real audit.
AI Act
Classification of uses, documentation, risk management and obligations according to the system’s risk level.
GDPR
Legal bases, minimisation, data subject rights and control of transfers — beyond the simple “hosted in the EU” box.
NIS2
Security of essential and important systems: governance, incident management, supply chain.
DORA
Digital operational resilience for the financial sector: testing, third-party risk management, continuity.
Would your AI pass the audit?
We can check it with you, framework by framework, without jargon.