Data Residency & GDPR

For European buyers, "where does our data go?" is the first question. Our answer is concrete: • This website runs on Google Cloud (europe-west1, Belgium). • Client systems are deployed to the environment you choose — an EU-only region, your private cloud, or on-premise — configured per engagement by our DevOps team. • What leaves your environment (telemetry, logs) is configured per deployment; we can keep prompts, documents and logs entirely inside your environment. • Your data is never used to train generalised third-party foundation models without your explicit, documented consent. Where a self-hosted model is deployed, your content does not leave your environment at all.

When we process personal data on your behalf, we act as your processor under a binding Data Processing Agreement compliant with GDPR Article 28. It sets out, in writing: the scope and purpose of processing, confidentiality, security measures (Article 32), our handling of data-subject requests, deletion or return of data on termination, and audit rights. Our standard DPA is available on request.

We keep a current list of subprocessors and, per GDPR Article 28(2), we do not add or replace one without giving you prior notice and the opportunity to object. For fully self-hosted or on-premise deployments, no third-party AI or model provider acts as a subprocessor for your content.

If any processing involves a transfer outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses and — following the Schrems II ruling — conduct a documented transfer impact assessment and apply supplementary safeguards, such as encryption, where needed. The simplest answer to transfer risk is not to transfer. That is why we lead with an EU-only deployment option — it removes most of this for you.

Every deployment includes: • Encryption in transit and at rest. • Role-based access control and least-privilege access. • Full audit logging. • Single-tenant isolation in your chosen environment (on-premise or private cloud).

• Retention — we hold personal data only as long as needed for the agreed purpose. • Deletion or return — on termination we return or delete client data within 30 days, per the DPA. • Data-subject rights — we assist you, as controller, in responding to access, rectification, erasure and portability requests.

Data controller for this website: Engineers-incubator s.r.o., Horná 67, 974 01 Banská Bystrica, Slovakia. Request our DPA and data-processing pack or email hello@euhub-ai.com.