Skip to main content

Description

All data in PromptMetrics is stored exclusively in EU regions with AWS eu-central-1 (Frankfurt) as the primary region and AWS eu-west-1 (Ireland) as the backup region, ensuring zero cross-border transfers and full GDPR and EU AI Act data residency compliance. The platform enforces EU-only data sovereignty through architectural design, including all databases (PostgreSQL), object storage (S3), compute resources (EC2, Lambda), and backup systems located exclusively within EU infrastructure with no replication or processing outside the European Economic Area. Data sovereignty verification tools enable compliance officers to verify storage locations, review infrastructure audit logs, and generate data residency certificates for regulatory submissions. The system implements encryption at rest using AES-256 for all stored data, encryption in transit using TLS 1.3 for all data transfers, and cryptographic verification to detect any unauthorized data movement. This comprehensive data sovereignty approach ensures compliance with GDPR Articles 44-49 governing cross-border data transfers and EU AI Act requirements for maintaining EU-based records. It is primarily used by compliance officers for regulatory verification, by data protection officers for GDPR compliance, and by legal counsel to demonstrate data residency to supervisory authorities.

Example

A compliance officer demonstrates to legal counsel that all AI request logs, prompts, and user data are stored exclusively in EU infrastructure by accessing the data residency verification dashboard, which shows real-time confirmation of 100% EU storage across all data categories. She generates a data sovereignty certificate with cryptographic proof of storage locations, reviews the infrastructure audit log, which shows zero cross-border transfer attempts, and exports the verification report documenting primary storage in Frankfurt with redundant backups in Ireland. During a GDPR audit, she presents this evidence along with AWS compliance certifications confirming physical data center locations, satisfying supervisory authority requirements for demonstrating Article 44-49 compliance with no third-country data transfers requiring adequacy decisions or standard contractual clauses.

EU-Only Infrastructure

Primary Region: AWS eu-central-1 (Frankfurt, Germany)

Storage Components
  • PostgreSQL databases for all application data
  • Amazon S3 object storage for file uploads and exports
  • Redis cache for session and real-time data
  • ElasticSearch for log indexing and search
Compute Components
  • EC2 instances for application servers
  • Lambda functions for serverless operations
  • ECS containers for microservices
  • API Gateway for request routing
Security Components
  • AWS Secrets Manager for API key storage
  • AWS KMS for encryption key management
  • CloudWatch for monitoring and logging
  • VPC for network isolation

Backup Region: AWS eu-west-1 (Ireland)

Backup Architecture
  • Real-time database replication for disaster recovery
  • Daily encrypted backups of all data
  • Multi-AZ deployment for high availability
  • Failover capability within EU only
Retention Policy
  • Continuous replication lag: < 5 seconds
  • Point-in-time recovery: Last 35 days
  • Long-term backups: 1 year retention
  • Geographic separation: 1,800 km between regions
Both primary and backup regions are within the European Union, ensuring compliance even during disaster recovery scenarios.

No Cross-Border Data Transfers

Zero Data Leaving EU

PromptMetrics enforces strict data sovereignty: Architectural Guarantees
  • All data processing occurs within EU regions
  • No CDN or edge caching outside EU
  • No third-party services with non-EU data access
  • No support access from non-EU locations
Data Flow Controls
  • API endpoints restricted to EU region routing
  • Database connections limited to EU IP ranges
  • Object storage access policies enforce EU-only
  • Network ACLs block non-EU data egress
Monitoring & Detection
  • Real-time monitoring for cross-border transfer attempts
  • Automated alerts for any non-EU data access
  • Audit logging of all data movement
  • Quarterly infrastructure compliance reviews

GDPR Chapter V Compliance

Article 44: Data transfers outside EU only when legally permitted
  • PromptMetrics Implementation: Zero transfers outside EU, rendering Chapter V requirements satisfied by design
Article 45: Adequacy decisions for third countries
  • PromptMetrics Implementation: Not applicable - no third-country transfers
Article 46: Standard contractual clauses
  • PromptMetrics Implementation: Not required - all data remains in EU
Article 48: Non-EU government access
  • PromptMetrics Implementation: EU law governs all data access requests; non-EU government demands subject to EU legal process
Article 49: Derogations
  • PromptMetrics Implementation: No derogations needed - data never leaves EU

Verifying Data Residency

Data Residency Verification Dashboard

Access real-time verification tools: Dashboard Location: Compliance → Data Sovereignty Verification Metrics
  • Current Storage Location: AWS eu-central-1 (Frankfurt) ✓
  • Backup Location: AWS eu-west-1 (Ireland) ✓
  • Cross-Border Transfers: 0 detected ✓
  • Non-EU Data Access: 0 attempts ✓
  • Infrastructure Compliance: 100% ✓
Storage Category Breakdown
Data CategoryStorage LocationVerification Status
User Dataeu-central-1✓ Verified
Request Logseu-central-1✓ Verified
Prompt Templateseu-central-1✓ Verified
Evaluation Dataeu-central-1✓ Verified
Backupseu-west-1✓ Verified
Audit Trailseu-central-1✓ Verified

Infrastructure Audit Logs

Review detailed infrastructure activity: Log Entries Include
  • Data storage location for each operation
  • Geographic location of compute resources
  • Network traffic flow analysis
  • Backup and replication destinations
  • Any cross-region activity (should be EU-to-EU only)
Audit Review Process
1

Access Infrastructure Logs

Navigate to Compliance → Data Sovereignty → Infrastructure Audit Logs.
2

Filter by Date Range

Select the audit period you want to review (default: last 90 days).
3

Review Storage Events

Examine all data storage events to confirm EU-only locations.
4

Verify Network Traffic

Check network traffic logs for any non-EU destinations (should be 0).
5

Export Audit Report

Generate audit report with cryptographic verification for regulatory submissions.

Data Sovereignty Guarantees

Contractual Commitments

PromptMetrics provides legally binding data sovereignty commitments: Service Level Agreement (SLA)
  • 100% EU data storage guarantee
  • Zero cross-border transfers
  • EU-only personnel access to production data
  • 30-day advance notice if data residency policy changes
Data Processing Agreement (DPA)
  • GDPR Article 28 compliant data processing terms
  • EU-only subprocessors (AWS EU regions)
  • Data sovereignty verification rights
  • Audit rights for supervisory authorities
Certifications
  • ISO 27001 certification (EU scope)
  • SOC 2 Type II compliance
  • AWS GDPR compliance inheritance
  • Regular third-party security audits
Any proposed change to data residency policy requires user consent and 30-day notice period per GDPR requirements.

Regional Backup Strategy

Multi-Region EU Architecture
  • Primary: Frankfurt (Germany)
  • Secondary: Ireland
  • Geographic separation: 1,800 km
  • Both regions within EU legal jurisdiction
Failover Scenarios
  • Frankfurt region failure → Automatic failover to Ireland
  • Data remains in EU during entire failover process
  • No performance degradation for EU users
  • Recovery Point Objective (RPO): 5 seconds
  • Recovery Time Objective (RTO): 2 minutes

GDPR Article 44-49 Compliance

Article 44: General Principle

Requirement: Data transfers to third countries only when compliant with Chapter V PromptMetrics Compliance:
  • No third-country transfers occur
  • All data remains within EU at all times
  • Chapter V requirements satisfied by architectural design

Article 45: Adequacy Decisions

Requirement: Transfers to countries with adequacy decisions permitted PromptMetrics Compliance:
  • Not applicable - no international transfers
  • Data never leaves EU jurisdiction

Article 46: Standard Contractual Clauses

Requirement: SCCs required for transfers without adequacy decision PromptMetrics Compliance:
  • Not required - no international transfers
  • All processing occurs in EU with EU-based processors (AWS EU)

Article 47: Binding Corporate Rules

Requirement: BCRs for international corporate data transfers PromptMetrics Compliance:
  • Not applicable - company operates exclusively in EU
  • No international corporate data flows

Article 48: Non-EU Government Access

Requirement: EU controller permission required for non-EU government data access PromptMetrics Compliance:
  • All data access governed by EU law (GDPR, ePrivacy, EU AI Act)
  • Non-EU government requests subject to EU legal process and MLAT treaties
  • Users notified of any lawful government data requests per GDPR Article 13-14

Article 49: Derogations

Requirement: Specific derogations for exceptional transfers PromptMetrics Compliance:
  • No derogations invoked - not necessary due to EU-only architecture
  • Data subject consent not required for cross-border transfers (no such transfers occur)

Generating Data Residency Certificates

Certificate Contents

Data sovereignty certificates include: Infrastructure Verification
  • Primary storage region: AWS eu-central-1 (Frankfurt)
  • Backup storage region: AWS eu-west-1 (Ireland)
  • Compute resource locations: EU-only
  • Data residency guarantee: 100%
Compliance Confirmation
  • GDPR Chapter V compliance status
  • Zero cross-border transfers detected
  • Cryptographic verification of storage locations
  • AWS compliance certifications (inherited)
Audit Trail
  • Certificate generation timestamp
  • Verification period covered
  • Compliance officer user ID
  • Digital signature for authenticity

Certificate Generation Process

1

Navigate to Verification Tool

Access Compliance → Data Sovereignty → Generate Certificate.
2

Select Verification Period

Choose the time range for verification (typically matches audit period).
3

Run Verification

System performs real-time check of data storage locations and infrastructure compliance.
4

Review Results

Confirm 100% EU storage before generating certificate.
5

Generate & Download

Certificate generated with cryptographic signature and downloadable as PDF.
6

Submit to Authority

Use certificate for GDPR compliance documentation or supervisory authority requests.

AWS Compliance Inheritance

AWS EU Region Certifications

PromptMetrics inherits AWS compliance for EU regions: Security Certifications
  • ISO 27001: Information Security Management
  • ISO 27017: Cloud Security Controls
  • ISO 27018: Cloud Privacy Protection
  • SOC 1, SOC 2, SOC 3: Service Organization Controls
Privacy & Data Protection
  • GDPR compliance program
  • EU Data Protection Directive compliance
  • ePrivacy Directive compliance
  • German Federal Data Protection Act (BDSG) compliance
Industry-Specific
  • PCI DSS Level 1: Payment Card Industry
  • HIPAA: Healthcare data (when configured)
  • C5: German Cloud Computing Compliance Controls
Physical Security
  • Data center locations verified and audited
  • Physical access controls and monitoring
  • Environmental controls and redundancy
  • Geographic separation of availability zones

Verification of AWS Compliance

Users can independently verify AWS compliance: AWS Artifact Portal
  • Access compliance reports directly from AWS
  • Review audit reports for eu-central-1 and eu-west-1
  • Download certification documents
  • Verify current certification status
Data Center Locations
  • Frankfurt data centers: Germany (EU member state)
  • Ireland data centers: Ireland (EU member state)
  • Physical locations audited by independent third parties
  • Compliance with EU data center regulations

Monitoring for Data Sovereignty Violations

Real-Time Monitoring

Automated monitoring detects any data sovereignty violations: Monitored Activities
  • Database replication destinations
  • Object storage access patterns
  • Network egress to non-EU IPs
  • Compute resource geographic locations
  • Backup storage destinations
Alert Triggers
  • Any non-EU data access attempt
  • Cross-border data transfer detection
  • Infrastructure deployment outside EU
  • Non-EU personnel access to production systems
Alert Response
  • Immediate notification to security team
  • Automatic blocking of violating activity
  • Incident investigation and root cause analysis
  • Compliance officer notification
  • Remediation and prevention measures
Real-time monitoring provides confidence that data sovereignty is maintained 24/7 with immediate detection of any violations.

Compliance Overview

Return to the main compliance officer introduction.

Audit Trails

Verify cryptographic integrity of EU-stored audit trails.

Compliance Monitoring

Monitor real-time data residency verification status.

Compliance Reporting

Generate reports with data sovereignty verification certificates.