INFRA READY
GDPR Data Residency One-Pager
Summary
Sovereign Git is architected for GDPR compliance from the ground up. Customer repository data, metadata, CI artifacts, and audit logs remain within EU jurisdiction by default. No data is routed through US-based cloud hyperscalers (AWS, Azure, GCP) without explicit customer opt-in.
Data Residency Architecture
| Data Category | Storage Location | Transfer Controls |
|---|---|---|
| Repository data (git objects) | EU-West/EU-Central compute | Never leaves EU without customer config |
| CI/CD artifacts | EU-resident object storage | Encrypted in transit (TLS 1.2+) and at rest |
| Audit trail (F9 stream) | Redis Stream, EU compute | Append-only, cryptographic immutability |
| SSO / identity (Authentik) | authentik.eliteaiempire.com (EU) | SAML assertions never stored long-term |
| AI review (BYO-LLM) | Customer-specified LLM endpoint | With empire-pooled cascade: EU-first routing available |
GDPR Article Alignment
- Article 5 (Principles): Data minimization enforced — we collect only what is required for platform operation. Access logging captures who touched what, not content.
- Article 17 (Right to Erasure): Repository deletion removes all associated metadata within 24h. Audit trail entries are retained per regulatory minimum (configurable 7y for financial, 3y for standard).
- Article 25 (Data Protection by Design): BYO-LLM keys prevent code from being used for AI training. Tenant isolation by namespace. No cross-tenant data access.
- Article 32 (Security): TLS 1.2+ everywhere, AES-256 encryption at rest, Fernet-encrypted per-repo LLM keys with HKDF derivation from master key.
- Article 44 (Data Transfers): No default third-country transfers. Cross-border routing only on explicit customer configuration.
Sub-processor List
- Authentik (self-hosted, EU compute) — Identity Provider / SSO
- Brevo (EU-based email) — Transactional email notifications
- Stripe (EU Data Processing Addendum in place) — Payment processing only
- Cloudflare Pages (static marketing site only — no customer data) — Marketing landing
Legal Gate: A Data Processing Agreement (DPA) between Elite AI Empire LLC (processor) and the customer (controller) must be executed before GDPR Article 28 obligations are formalized. DPA template available on request. Execution requires Iskra (authorized signatory) and legal counsel review. Contact enterprise@eliteaiempire.com to initiate.
Contact
Data Protection contact: enterprise@eliteaiempire.com
For DPA template, DPIA assistance, or transfer impact assessment support: same address.
Response SLA: 3 business days for GDPR inquiries.