🛡️
← Blog
Ethics & PrivacyApril 22, 2026·6 min read·by José Díaz

European sovereignty isn’t marketing : it’s code

Half of European startups say "GDPR-friendly" and then run everything on AWS us-east-1 with OpenAI embeddings. Here I explain exactly what runs where in Memchats, and why we decided to make it more expensive to operate but more honest.

The phrase "digital sovereignty" has been so overused in European pitch decks that it doesn’t mean anything anymore. Any startup with a .eu domain and a GDPR disclaimer uses it. But open the code, look at the DNS, read the logs: most run the critical logic in American data centers and depend on APIs from US companies for everything that matters.

Memchats does something different, and I’ll be explicit about where every bit lives.

Postgres and Redis: Hetzner Online in Falkenstein, Germany. Disk-level at-rest encryption. Private internal connection between containers. If Hetzner goes down, Memchats goes down : but the data never leaves Germany.

Embeddings: bge-m3 self-hosted on a dedicated GPU in the same Hetzner infrastructure. We don’t use the OpenAI API or Voyage. Two reasons: price (they charge per token and our volume would be expensive), but most of all control (when we send text to OpenAI for embedding, that text leaves Europe regardless of how many DPAs you sign). Self-hosting bge-m3 is operationally more complex, but the text doesn’t leave our perimeter.

Object storage for original files (WhatsApp exports, screenshots): Cloudflare R2 in EU jurisdiction. R2 has an interesting property: it’s S3-compatible but doesn’t replicate outside the region you pick. We pick EU, it stays in EU.

Anthropic Claude: here there’s a real compromise. Anthropic is in the USA. We have Standard Contractual Clauses signed and a specific DPA that prohibits training on our data. But the text does physically leave Europe when we make an API call. For Empresa tier, we offer an alternative: local model (Llama 3.1 / Mistral) running on our own infrastructure. Slower, less capable, but literally never leaves the EU.

Stripe: Ireland. Payment processing. Memchats doesn’t store cards, only Stripe IDs.

Sentry: USA with signed SCC. Configured to never send PII or message content in breadcrumbs : only stack traces.

Mailcow: self-hosted on the same Hetzner for transactional email. Zero dependency on SendGrid or Mailchimp.

Net result: except for two points (Anthropic Claude for LLM, Sentry for errors), 100% of the data plane lives in Europe or in EU jurisdiction with cloud providers. And for those two points, there’s a native alternative in Empresa tier.

This costs more. Self-hosting embeddings costs GPU 24/7. Self-hosted Mailcow requires maintenance. Hetzner needs more DevOps than click-deploy on Vercel. But the question isn’t "what’s easier to operate" : it’s "what promise can I keep when I look in the eye of a user who trusts me with messages from their ex during a custody case".

If the answer to that question is "honestly, almost everything is in USA but we signed a DPA", then you’re not doing sovereignty. You’re doing marketing.