EU Data Processing
Application data is processed exclusively in European data centers.
Our Infrastructure
Application hosting -- Germany
All application data and the database are stored exclusively in a German data center.
AI gateway -- France
AI requests are routed via an EU gateway in France -- EU-only.
Our Technical Measures
Legal framework for third-country transfers: GDPR Art. 44–50 (Chapter V — Transfers to third countries).
Frequently asked questions about EU data processing
Where is my data processed?+
Application data (accounts, conversations, configurations, file uploads) is hosted in a German data centre (Hetzner Falkenstein). AI requests are routed via an EU gateway in France. A full list of locations is provided in the DPA, Annex B.
Who is the controller under data-protection law?+
The customer is the controller within the meaning of Art. 4 No. 7 GDPR. HOVIGuard acts as processor per Art. 28 GDPR. The exact obligations of both parties are regulated in the Data Processing Agreement (DPA).
Which sub-processors are used?+
Currently Hetzner Online GmbH (hosting, DE), Eden AI SAS (AI gateway, FR), xAI Inc. (direct Grok endpoint, US region eu-west-1 with zero retention), Neue Medien Münnich GmbH (SMTP, DE) and Stripe Payments Europe Ltd. (payments, IE). The full list with safeguards is provided in the DPA.
What about third-country transfers?+
Transfers outside the EU are limited to the technically unavoidable minimum. For Stripe and xAI, Standard Contractual Clauses (SCCs) apply together with additional measures (tokenisation, zero retention, IP pseudonymisation). Details are in the Transfer Impact Assessment (available on request).
Which technical measures are in place?+
Typically TLS 1.3 in transit, AES-256 encryption of backups, multi-tenant isolation at the database level, and regular security updates. A full list of TOMs (technical and organisational measures) is provided in the DPA, Annex A.