EU-Sovereign Document AI — No CLOUD Act, No Compromise

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted in 2018, grants US law enforcement the authority to compel US-headquartered technology companies to hand over data stored on their servers — even if that data is physically located outside the United States. This means that documents processed through Microsoft Azure, Amazon Web Services, or Google Cloud Platform are subject to US jurisdiction, no matter whether the data center sits in Frankfurt, Dublin, or Amsterdam.

Section 702 of the Foreign Intelligence Surveillance Act (FISA) further extends this reach. Under FISA 702, US intelligence agencies can conduct warrantless surveillance of non-US persons' communications and data held by US technology providers. For European organizations, this creates a direct conflict with the GDPR's requirements for lawful data transfers to third countries, a conflict that the European Court of Justice made explicit in its Schrems II ruling (Case C-311/18) when it invalidated the EU-US Privacy Shield.

The implications for document processing are particularly severe. Documents are among the most data-dense assets in any organization. A single invoice can contain company names, tax IDs, bank details, and pricing information. Contracts expose negotiation positions, commercial terms, and counterparty relationships. Personnel files contain social security numbers, salary data, health information, and performance evaluations. Legal correspondence is protected by attorney-client privilege. When these documents pass through a US-controlled AI system, every data point becomes potentially discoverable by US authorities.

Standard Contractual Clauses (SCCs) and supplementary measures do not resolve the underlying jurisdictional conflict. The European Data Protection Board has made clear in its post-Schrems II guidance that contractual safeguards cannot override the legal obligations that US law imposes on US companies. The result is a compliance gap that many organizations either underestimate or deliberately ignore — until an audit, a data breach notification, or a regulator's inquiry forces the issue.

Many US cloud providers now offer "EU data residency" or "sovereign cloud" options, where customer data is stored in EU-based data centers. While this addresses the physical location of data at rest, it does not resolve the legal problem. A US-headquartered company remains subject to US law, and the CLOUD Act applies to data under the company's control regardless of its geographic location. The distinction between data residency and data sovereignty is critical: residency describes where data is stored, sovereignty describes who has legal authority over it.

True data sovereignty requires that the entity processing your data is not subject to the jurisdiction of a foreign intelligence or law enforcement apparatus that conflicts with EU data protection law. In practice, this means the provider must be an EU-incorporated company, operating on its own infrastructure (or infrastructure controlled by EU-incorporated entities), with no US parent company, no US investors with board control, and no technical dependencies on US cloud services that could create indirect access paths.

The question of model training data flows adds another dimension. When you use a document AI system built on a US foundation model — whether from OpenAI, Anthropic, Google, or Meta — your document data may be used to improve the base model, shared across tenants, or logged in ways that are opaque to the customer. Even when providers state that customer data is not used for training, the telemetry, metadata, and inference logs that flow through US-controlled infrastructure create a data trail that falls under US jurisdiction. True sovereignty means that your data trains only your model, on your infrastructure, under your legal control.

Contractual guarantees from US providers — including data processing agreements, encryption commitments, and access controls — are necessary but not sufficient. They cannot override the legal obligations that the CLOUD Act and FISA 702 impose. An EU-based provider operating on its own hardware eliminates the jurisdictional conflict entirely, rather than attempting to paper over it with contractual language.

Our infrastructure is ISO 27001 certified and subject to regular penetration testing by independent auditors. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access controls follow the principle of least privilege, with full audit logging of all administrative actions. Our security documentation — including the technical and organizational measures (TOMs) annex — is available to customers and their data protection officers upon request.

Financial Services. Banks, insurance companies, and asset managers operate under strict regulatory frameworks — FINMA circulars in Switzerland, MaRisk and BAIT in Germany, Solvency II and DORA at the EU level. These frameworks increasingly require that outsourced IT services, especially those involving AI and cloud computing, do not create uncontrollable dependencies on third-country providers. By using feld.ai, financial institutions can adopt AI-driven document processing without triggering the additional risk assessments and notification requirements that apply to material outsourcing to US cloud providers.

Legal. Attorneys, notaries, and legal departments are bound by professional secrecy obligations that go beyond data protection law. In many European jurisdictions, disclosing client information to a US-controlled cloud service — even inadvertently — can constitute a breach of professional duty. feld.ai's architecture, with no US subprocessor and a full on-premises option, is designed to meet the requirements of legal professionals who cannot risk any scenario in which client data could be subject to a foreign government access request.

Healthcare. Patient records, diagnostic reports, and clinical correspondence are among the most sensitive document categories. Healthcare providers and insurers must comply not only with the GDPR but also with sector-specific regulations such as national health data protection laws. Processing these documents through a US-controlled AI system introduces risks that are difficult to mitigate through contractual measures alone. feld.ai processes all healthcare documents on EU-based, self-operated infrastructure, ensuring that patient data never leaves the protected sphere.

Insurance. Claims documents, policy applications, and actuarial reports contain detailed personal and financial information. Insurance companies subject to Solvency II and the upcoming DORA regulation need to demonstrate that their IT supply chain does not include uncontrollable third-country dependencies. feld.ai provides a fully EU-sovereign AI pipeline for document processing in insurance operations — from claims intake to policy administration — without any reliance on US cloud infrastructure.

All three deployment options provide the same AI capabilities, the same API, and the same user interface. Migration between deployment models is straightforward — you can start with feld.ai Cloud and move to on-premises when your internal infrastructure is ready, without retraining models or redesigning integrations.

Is feld.ai GDPR-compliant?

Yes. feld.ai processes all data exclusively on its own GPU servers in Feldkirch, Austria. There is no data transfer to US cloud providers. We provide a data processing agreement (DPA) per Art. 28 GDPR, and our technical and organizational measures are fully documented. Our infrastructure is ISO 27001 certified.

Does feld.ai use OpenAI or other US AI services?

No. feld.ai operates proprietary AI models for OCR, document classification, and data extraction. There are zero API calls to OpenAI, Google, Microsoft, or any other US AI service. Every inference runs on our own hardware.

Where are the servers located?

Our GPU servers are located in Feldkirch, Austria. We own and operate the hardware ourselves — no hyperscaler, no colocation with a US parent company. For customers who require a specific location, we also offer managed hosting in a data center of your choice or full on-premises deployment.

Can I run feld.ai on-premises?

Yes. feld.ai can be deployed entirely on your own infrastructure. The on-premises deployment requires no outbound internet connection for inference. Updates and model improvements can be applied via secure offline transfer if needed.

What happens to my data after processing?

Documents are processed in real time and can be deleted immediately after extraction. By default, no document content is retained beyond the processing session. If you choose to use the correction and learning pipeline, your data trains only your tenant-specific model — never a shared model, never a third party's model.

Is feld.ai suitable for legal professionals?

Yes. Law firms and legal departments are among our core user groups. Because feld.ai operates without any US subprocessor, it does not create a conflict with professional secrecy obligations (attorney-client privilege). The on-premises option provides maximum confidentiality for sensitive case files.