götzendorfer.at
TL;DR
Your data is stored in Frankfurt. A US federal agency can still access it. The CLOUD Act works on corporate ownership, not the physical location of the server. Anyone building or procuring AI systems in Europe faces a real decision: how much sovereignty does your project actually need, and what does it cost? This article gives you an honest framework with real cost figures, realistic scenarios, and the five most common misconceptions.
AI insights for decision-makers
Weekly. Practical. No spam.
Who Is This For?
This guide is written for CTOs, technical founders, and engineering leads who are making infrastructure decisions for AI-enabled products or internal tools in Europe. Specifically, if any of the following applies to you, this article is worth your time:
- You are building a SaaS product or internal tool that processes personal data under GDPR
- Your customers have asked about data residency or EU sovereignty, or you expect they will
- You are evaluating whether to use US-based cloud services or move to EU-hosted alternatives
- You want to understand the practical trade-offs, not just the legal theory
If you are in the DACH region (Germany, Austria, Switzerland), some sections will feel familiar. If you are outside DACH, the core framework still applies -- I have noted where specific regulations are regional.
1. The CLOUD Act Misunderstanding
The assumption is common: if data sits physically in the EU, it is protected from US authorities. That is incorrect.
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, USA 2018) obligates US companies to provide access to data upon request from the US government, regardless of where that data is physically stored. The decisive question is not "where is the data center?" The decisive question is "which company owns the service?"
A concrete example: Supabase operates a region in Frankfurt. Supabase Inc. is a US company headquartered in San Francisco. Data in Frankfurt is therefore potentially subject to the CLOUD Act, even if it never physically leaves the EU.
This applies to most of the services developers reach for by default: AWS, Google Cloud, Microsoft Azure, Vercel, Supabase Cloud, Resend, Stripe. All US companies. All CLOUD Act-exposed.
What Standard Contractual Clauses (SCCs) Actually Do
SCCs are contractual commitments agreed between EU customers and US providers. They are a recognized instrument under GDPR and provide a legal framework for data transfers. What they do not do: they do not override the CLOUD Act. When US authorities make a concrete access request, US law takes precedence over contractual arrangements.
SCCs reduce regulatory risk. They do not eliminate it. For many projects that is acceptable. For some it is not. Clarifying which category your project falls into is the whole point of this article.
What This Means for Your Decision
For projects without special data protection requirements, pragmatic use of US cloud services is defensible and economically rational. For projects with sensitive data -- patient data, financial data, government data -- or for companies positioning sovereignty as a product feature, SCCs alone are not enough.
The rest of this article helps you determine which category your project belongs to, and what each option realistically costs.
2. The Four Sovereignty Levels
Not every stack needs the same level of sovereignty. A four-level framework gives you a practical starting point.
| Level | Name | Definition | Typical Examples | |-------|------|-----------|------------------| | 0 | US-Native | US company, US region | AWS us-east-1, GPT-4 API | | 1 | US company, EU region | US company, EU data center | Supabase Frankfurt, Vercel, Resend | | 2 | EU company, cloud | EU company, managed service | Hetzner, Scaleway, Pirsch Analytics | | 3 | Self-hosted | Own infrastructure, own servers | Supabase self-host, GlitchTip, Garage |
Level 0 is the default developer path. Fast, inexpensive, well-documented. GDPR compliance requires SCCs and data processing agreements.
Level 1 is the most common compromise. An EU data center feels reassuring, but it does not solve the CLOUD Act problem. For many projects, it is still sufficient.
Level 2 closes the CLOUD Act gap. Hetzner is a German company. Scaleway is French. US authorities have no direct legal lever. The trade-off: fewer managed services, more operational work.
Level 3 provides maximum control. You operate the infrastructure yourself. No third party has access to your data. The trade-off: significant ops overhead and full responsibility for updates, backups, and security.
One thing worth noting: no real project runs at a single level. The most practical setups are hybrids -- sensitive data at Level 2 or 3, non-critical services at Level 1.
3. The Five Questions That Determine Your Level
Before I discuss concrete stack decisions with clients, I work through five questions. The answers determine which sovereignty level is actually necessary.
Question 1: Is data sovereignty a product feature or just a compliance cost? If your product is sold with the argument "your data stays in the EU under EU law," then sovereignty is a differentiating feature and must be technically enforced. If sovereignty is only an internal compliance matter, different standards apply.
Question 2: Do you have at least four hours per month for ops work? Self-hosting means applying updates, checking backups, patching security vulnerabilities, monitoring services. Four hours per month is the bare minimum for a simple self-hosted instance. Eight to fifteen hours is more realistic once multiple services are involved. Anyone who does not have this capacity or does not want to build it should not treat self-hosting as a viable option.
Question 3: Do your customer contracts include data residency clauses? Certain industries -- financial services, healthcare, the public sector -- contractually require that data remains in defined regions or under defined legal frameworks. If your customers are demanding these clauses, it is not an optional differentiator. It is a minimum requirement.
Question 4: Are you processing data covered by specific regulations? Health data, financial transaction data, data on minors, government data -- these categories raise the required sovereignty level regardless of product strategy and customer preferences. Note: if you are in the DACH region, national supplements to GDPR and sector-specific regulations add additional requirements on top of the baseline. If you are elsewhere in the EU, GDPR itself is the primary framework.
Question 5: Can you justify US authority access to a customer if it happened? This question sounds abstract but has practical weight. If your answer to "we use US services with EU SCCs" is met with "we do not accept that" from a customer -- do you have an alternative ready?
Anyone answering no to all five questions can stay at Level 1 and save considerably. Two or more yes answers warrant serious consideration of Level 2 or 3.
4. The Key Stack Components
Practically every AI stack consists of the same layers. Here are the most relevant components with options by sovereignty level.
| Component | Level 1 (US, EU region) | Level 2 (EU company) | Level 3 (Self-hosted) | |-----------|------------------------|---------------------|----------------------| | Compute | Vercel, Render | Hetzner Cloud, Scaleway | Dedicated server (Hetzner) | | Database | Supabase Frankfurt | Hetzner Managed DB | Supabase self-host, PGlite | | Auth | Supabase Auth | Neon + custom | Supabase self-host, Ory Kratos | | Storage | Supabase Storage | Hetzner Object Storage | Garage (S3-compatible) | | LLM (app features) | OpenAI, Gemini | Mistral (FR) | Ollama (Llama 3.3, Mistral) | | LLM (coding) | Claude, GPT-4 | -- | -- | | Analytics | Vercel Analytics | Pirsch (DE), Plausible | Plausible self-host | | Error Tracking | Sentry Cloud | -- | GlitchTip self-host | | Email | Resend, Postmark | Brevo (FR) | Postal (high effort) | | Payments | Stripe | -- | -- |
A note on Hetzner for readers outside the DACH region: Hetzner is a major German cloud provider with data centers in Germany and Finland. They are not as large as AWS or Google Cloud, but their infrastructure quality is solid, their pricing is competitive, and as a German company they sit outside US jurisdiction.
The Hard Constraints
Two areas cannot be fully solved sovereignly without significant quality trade-offs:
Coding assistance. Claude (Anthropic, US) and GPT-4 (OpenAI, US) have no comparable EU competitor for coding tasks. Mistral and local models are useful for application features, but for complex architecture decisions and multi-step refactoring they are measurably weaker. Developers relying on AI assistance have a practical dependency on US services here -- at least through the end of 2026.
Payment processing. Stripe has no EU competitor with comparable feature breadth, reliability, and developer experience. Braintree (PayPal, US), Adyen (Netherlands, internationally structured) -- both have limitations. For most projects, Stripe is the pragmatic choice regardless of sovereignty goals.
These constraints do not make a sovereign stack impossible. They mean being realistic: coding assistance and payments run through US services, all other critical components run through EU infrastructure.
5. Three Reference Scenarios
Abstract architecture principles help little without concrete cost frameworks. The following three scenarios describe real patterns I observe in projects. Once your stack is in place, the next challenge is building on it reliably -- which I cover in detail in Harness Design: Keeping AI Coding Agents Productive.
Scenario A: Sovereignty as a Product Feature
Who chooses this: SaaS products selling to regulated industries or public sector buyers in Europe who require EU-only infrastructure. Sovereignty is not an optional feature -- it is a purchase prerequisite.
Stack profile: Hetzner Cloud compute, Hetzner Managed PostgreSQL, Supabase self-hosted or Neon, Pirsch Analytics, Brevo for email, Mistral for LLM app features. Compute and data entirely with EU companies.
Monthly infrastructure cost: EUR 80 to EUR 180, depending on traffic and data volume.
Ops overhead: 8 to 15 hours per month. Updates, backups, monitoring, occasional configuration adjustments.
Trade-offs:
- Advantage: Clear sales differentiation, no CLOUD Act exposure for customer data.
- Disadvantage: Less managed-service convenience compared to US providers, slightly more setup work. LLM quality for complex reasoning tasks below US frontier models.
When it pays off: From the first customer who specifies "EU-only" as a condition.
Scenario B: Maximum Control
Who chooses this: Projects with the strictest data protection requirements -- health data, government data, or projects where third-party dependencies must be structurally avoided. Also relevant for companies whose internal security teams will not accept external cloud risk.
Stack profile: Hetzner dedicated server, Supabase self-hosted (PostgreSQL + Auth + Storage), Plausible self-hosted, GlitchTip, Garage for S3-compatible object storage, Postal for email (with full awareness of the consequences), Ollama for LLM inference on own hardware.
Monthly infrastructure cost: EUR 250 to EUR 600. The main cost driver is the dedicated server, which needs sufficient GPU capacity for Ollama inference.
Ops overhead: 20 to 30 hours per month. This number is not negotiable. Self-hosting multiple services means: reviewing and applying security patches, verifying backup consistency, testing services after updates, evaluating monitoring alerts. Anyone who does not budget for this has a security problem, not a sovereignty project.
Trade-offs:
- Advantage: Maximum data sovereignty, no external dependencies for core services, full transparency over all data flows.
- Disadvantage: Significant ops overhead, LLM quality clearly below US frontier models, email deliverability is its own project (IP warming, DKIM/DMARC, blacklist management).
When it pays off: With genuine regulatory necessity or when an internal security team categorically rejects external cloud.
Scenario C: Pragmatic Hybrid
Who chooses this: Most of the projects I work with. No specific sovereignty requirement, but awareness of the topic. The goal is a good cost-risk ratio without ops overhead.
Stack profile: Vercel for compute (US, EU proxy), Supabase Frankfurt for database and auth (US company, EU region, SCCs in place), OpenAI or Anthropic for LLM features, Resend for email, Sentry Cloud for error tracking. Pirsch or Plausible instead of Google Analytics.
Monthly infrastructure cost: EUR 60 to EUR 160.
Ops overhead: 3 to 5 hours per month, mostly monitoring and dependency updates.
Trade-offs:
- Advantage: Lowest overhead, best developer experience, fastest time to market.
- Disadvantage: CLOUD Act exposure for all US services, mitigated only by SCCs. Not suitable for regulated industries.
When it pays off: Almost always when no concrete requirements rule it out. Sovereignty on principle without a real requirement is not a good argument for the 3x to 5x higher ops overhead of Scenario B.
Book a consultation
30 minutes. Free. No strings attached.
6. The Honest Cost Picture
Infrastructure costs are the visible part of the price. The actual cost driver is ops time.
Opportunity cost of ops work. A developer or founder spending 20 hours per month on server administration loses those hours for product development, customer conversations, or sales. At a conservative EUR 50 per hour, 20 hours equals EUR 1,000 per month -- not as an expense, but as lost capacity.
This means the break-even for self-hosting is not "saves me EUR 100 in Supabase costs per month." It is "saves me more than EUR 1,000 in opportunity costs per month." That is rarely the case -- except for projects with very high data volumes or very specific requirements.
When self-hosting actually makes financial sense:
| Condition | If true | |-----------|---------| | Cloud costs exceed EUR 500/month | Self-hosting is worth evaluating economically | | Internal ops capacity exists (no opportunity cost problem) | The overhead is not a cost driver | | Regulatory obligation (no choice) | ROI is irrelevant | | Sovereignty is a purchase prerequisite for customers | Self-hosting is a sales argument |
For most early-stage projects, none of these conditions apply. Scenario C is then the right choice -- with awareness that migration to Level 2 or 3 is possible as requirements evolve.
Plan the migration path. A common mistake: building on US cloud services without a data layer abstraction. When a regulated customer arrives three years later demanding sovereignty, migration becomes expensive. The pragmatic approach: abstract database access through a repository pattern from the start. Migration from Supabase Cloud to Hetzner Managed PostgreSQL then takes days, not months.
7. The Five Most Common Misconceptions
Misconception 1: "EU region = CLOUD Act protection"
As covered in the introduction: no. CLOUD Act obligations attach to corporate ownership, not server location. AWS Frankfurt, Google Europe, Supabase Frankfurt -- all US companies, all CLOUD Act-exposed. Real protection requires EU companies (Level 2) or self-hosting (Level 3).
Misconception 2: "Self-hosting saves money"
Rarely. Managed services cost monthly fees, but those fees include operations by specialized teams. Self-hosting saves the managed service fee and trades it for your own ops time. For projects with less than EUR 500 in monthly cloud costs, self-hosting is almost never cheaper -- if you count your own time honestly.
Misconception 3: "MinIO is the standard for self-hosted S3 storage"
MinIO was long the first choice for S3-compatible object storage in self-hosted setups. Since late 2025, MinIO has been in de-facto maintenance mode. Active development and community support have dropped considerably. The more recommended option for new self-hosted projects is Garage -- an S3-compatible object storage written in Rust, resource-efficient, with an active development community. For existing MinIO installations there is no urgent need to act. For new setups, Garage is the better choice.
Misconception 4: "Claude is easily replaced by Mistral"
For application features -- document analysis, text generation, classification -- Mistral Large is a good EU-sovereign alternative. Quality is sufficient for most use cases, and Mistral is a French company.
For coding assistance the situation is different. I use AI coding agents in production and have worked with various models. For complex architecture decisions, code review, and multi-step refactoring tasks, Mistral and local models currently have a measurable quality gap compared to Claude and GPT-4. This is not a marketing judgment -- it is a technical observation from 4,000+ development sessions. The gap is closing, but it is still real through the end of 2026.
Misconception 5: "Self-hosted email is practical"
Running transactional email -- password resets, confirmation links, invoice delivery -- through your own mail servers is technically possible and operationally demanding. The challenge is not the software. It is reputation.
IP warming (new IP addresses must be gradually built up), DKIM/DMARC/SPF configuration, blacklist monitoring, bounce management -- this is a discipline of its own. A single mistake (too many emails too quickly, a wrong header, a domain on a blacklist) causes deliverability problems that can take days to resolve.
For projects with high sovereignty requirements, Brevo (formerly Sendinblue, a French company) is the pragmatic solution: no CLOUD Act problem, professional transactional email infrastructure. For absolute maximum control, Postal self-hosted is possible -- but only with full awareness of the operational burden.
8. Decision Checklist and Next Steps
Before making a stack decision, work through these questions:
- Sovereignty as a product feature: Are you selling to regulated industries or public sector buyers who require EU-only infrastructure?
- Ops capacity: Do you have the internal capacity and willingness to spend 8 to 30 hours per month on server administration?
- Contractual obligations: Do existing or expected customers have data residency clauses in their contracts?
- Regulation: Are you processing health data, financial data, or data subject to specific sector regulation?
- Migration readiness: Is your current stack structured so that a later migration to EU infrastructure would be feasible within a reasonable timeframe?
Two or more yes answers mean Level 2 or 3 should be actively evaluated, not just theoretically considered. One or no yes answers mean Scenario C is the right starting point, with a conscious decision to use SCCs as the compliance instrument.
Sovereignty is not a question of right and wrong. It is a question of requirements, costs, and realistic ops capacity. The most honest framing: for most projects, Scenario C is sufficient -- and someone who knowingly chooses it makes a better decision than someone who chooses Scenario B on principle and then fails to deliver the required ops time.
If you want a concrete assessment of which level fits your project, I am happy to work through the requirements in a short conversation. For projects that are moving from a validated stack toward production deployment, the path I follow is described in From 100+ Prototypes to Product. If you are ready to evaluate your infrastructure setup, the AI Setup service covers exactly this kind of technical scoping work. I work with 1 to 2 clients at a time and take the time for an honest evaluation.
Have an AI project in mind?
Let's analyze your potential together.
