GPU cloud built for
European data sovereignty
Every compute job runs in Hetzner EU data centers under Docker isolation. Your data never leaves the EEA. DPA available. Built for healthcare, legal, and financial AI teams.
Why your DPO blocked RunPod and AWS
The problem is not server location alone. It is legal jurisdiction. A US company operating EU servers is still subject to the US CLOUD Act — meaning US law enforcement can compel access to data without EU judicial process. This is why SCCs alone are insufficient for many regulated industries.
| Provider | Compliance issue | DPO verdict |
|---|---|---|
| AWS / GCP / Azure | US CLOUD Act jurisdiction — US government can compel access to data regardless of server location | ✗ Blocked |
| RunPod | Primarily US-based infrastructure. EU nodes available but not default, no DPA standard | ✗ Blocked |
| Vast.ai | Decentralized global network — no guaranteed EEA residency, no data processor agreement | ✗ Blocked |
| Lambda Labs | US-based company, US data centers. SCCs available but company under US jurisdiction | ✗ Blocked |
| GhostNexus | EU-only compute, French legal entity, Docker --network=none, DPA on request | ✓ Approved |
This table reflects general compliance patterns. Your DPO should evaluate based on your specific data categories and processing purposes. We recommend legal counsel for Article 9 data (health, biometric).
Compliance by design, not by checklist
These are architectural decisions, not policies that can be quietly changed.
100% EU data residency
All compute nodes operate in Hetzner data centers in Nuremberg (DE), Falkenstein (DE), and Helsinki (FI) — European Economic Area throughout. Your data never reaches a server outside the EEA.
Network-isolated execution
Every job runs inside a Docker container with --network=none. Scripts cannot make outbound network calls. Your training data, prompts, and model weights cannot be exfiltrated by the execution environment.
No data retention
Scripts and input data are written to an ephemeral temp file, used for execution, and deleted on container exit (--rm). GhostNexus never stores your training data, datasets, or model weights.
DPA available on request
We sign Data Processing Agreements (Article 28 GDPR) with enterprise customers. Our DPA covers sub-processor disclosure (Hetzner, Stripe, Resend) and includes the standard EU contractual clauses.
Open-source node client
The provider node software is open source (MIT). Your team or DPO can audit exactly what runs on provider machines: Docker flags, resource limits, no persistent storage. No black box.
EU legal entity
GhostNexus is operated as a French micro-enterprise (SIRET 102 801 883 00012). Invoices include TVA status under Art. 293 B CGI. EU jurisdiction applies to all contracts.
Docker isolation flags — verifiable
Every job runs with these flags. The node client is open source (MIT) — your security team can audit the exact command constructed before any job executes.
docker run \
--rm \ # Container deleted on exit
--name gn-job-{uuid} \
--network=none \ # ZERO network access
--memory 512m --memory-swap 512m \ # Hard RAM cap
--cpus 1.0 \ # Hard CPU cap
--read-only \ # Immutable filesystem
--tmpfs /tmp:size=64m,noexec,nosuid \ # Ephemeral scratch only
--cap-drop=ALL \ # All capabilities dropped
--security-opt no-new-privileges:true \ # No setuid escalation
-v /tmp/{uuid}_job.py:/job/script.py:ro \ # Script mounted read-only
--user 65534:65534 \ # nobody:nogroup
python:3.11-slim python /job/script.py--network=noneZero outbound/inbound network access. Data cannot be exfiltrated.--read-onlyImmutable root filesystem. No persistent writes outside allowed paths.--tmpfs /tmp:size=64m,noexec,nosuidTemp space capped at 64 MB, non-executable.--cap-drop=ALLAll Linux capabilities removed. No privilege escalation possible.--user 65534:65534Runs as nobody:nogroup — lowest possible privilege.--memory + --cpusHard resource caps. No denial-of-service from runaway jobs.--security-opt no-new-privileges:truePrevents setuid/setgid-based escalation.Regulated industries using GhostNexus
These are the ML use cases that are blocked on US infrastructure and possible on GhostNexus.
Healthcare & Medical AI
GDPR Art. 9 (health data), HDS certification context, national health data regulations (HIPAA equivalent)
- Fine-tune LLMs on patient notes (pseudonymized) for ICD-10 classification
- Train radiology image models without leaving EU hospital network perimeter
- NLP pipeline on EHR data — process locally, run inference on EU GPU
LegalTech & Compliance
Attorney-client privilege, GDPR data minimization, bar association data handling rules
- Document classification on contracts containing personal data
- Fine-tune models on confidential legal briefs
- Regulatory document analysis — DORA, NIS2, AI Act compliance workflows
Financial Services
DORA (Digital Operational Resilience Act), EBA guidelines, strict third-country transfer restrictions
- Fraud detection models on transaction data
- LLM for internal financial document Q&A
- Credit scoring model training on EU customer data
HR & Recruiting AI
GDPR Art. 22 (automated decisions), Works council approval requirements in DE/FR
- CV screening models trained on employee data
- Internal knowledge base LLM fine-tuning
- Bias detection models on HR datasets
Data Processing Agreement (DPA)
Required under GDPR Article 28 when using a processor
Your ML team can start today
$15 free credits to test your first job. If your DPO needs more detail before approval, send them this page and request a DPA — we respond within 48 hours.
Use code WELCOME15 at registration — no credit card required.