EU-hosted AI models

What does EU-hosted mean?

EU-hosted means the inference — the actual execution of the language model on GPU servers — takes place inside datacentres physically located in the European Union. This is distinct from having an EU headquarters or a European legal entity in a commercial register. A company legally domiciled in Amsterdam but running all its compute in Virginia is not EU-hosted in the technical sense that matters for GDPR obligations. Why does this distinction matter? Because the GDPR requires controllers — and their data subjects — to know where personal data physically resides during processing. When a prompt containing personal data (names, addresses, medical descriptions) hits an LLM API, it constitutes a transfer of personal data to a processor. The physical location of that processing determines which transfer mechanisms apply. Sub-processors also play a role. An EU cloud provider may lease GPU capacity from a datacentre company owned by a US parent. That may be compliant — provided Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place — but this information must be explicitly documented in the DPA (Data Processing Agreement) of your LLM provider. Always read the DPA, not just the marketing page.

GDPR implications of EU-hosted inference

The GDPR governs how personal data of EU residents is processed. When your organisation calls an LLM API with data containing personal data, you are the data controller and the API provider is the data processor. This creates three concrete obligations: 1. Processing agreement (Article 28). You must conclude a DPA with the provider. Check it for: which sub-processors are engaged, which country they are in, and which legal mechanism applies (SCCs, adequacy decision, binding corporate rules). 2. Transfer assessment (Article 46 / Schrems II). If the provider is American — even if hosting in Frankfurt — US FISA 702 legislation means US authorities can under certain circumstances demand access to data. After the Schrems II ruling of the CJEU (2020), Standard Contractual Clauses plus a Transfer Impact Assessment (TIA) is the standard mechanism. With purely EU-hosted providers without a US parent, this transfer assessment largely falls away, reducing compliance overhead significantly. 3. Retention and erasure. Does the LLM provider store prompt logs for training, fine-tuning or quality monitoring? If so, for how long, and can you submit an erasure request? EU-hosting does not solve this automatically; it requires contractual commitments in the DPA.

EU-hosted providers in the Tokonomix database

The table below shows providers whose hosting region in the Tokonomix database is marked as an EU region (eu / nl / de / fr). The average score is the mean benchmark score over the past 7 days; — means no recent measurement is available. Data is updated weekly from provider documentation and benchmark runs.

GDPR compliance matrix: models by provider

The table below lists all active EU-hosted models in the Tokonomix database, with inference region, model origin country, and output modality. This is live data; the table is updated automatically when providers or models are added or changed.

EU AI Act — what to know

The EU AI Act (Regulation 2024/1689) has been phased in. For most organisations using LLM APIs, the General Purpose AI (GPAI) rules are most relevant. Frontier models with systemic risk — evaluated via compute thresholds and risk assessment — carry additional transparency and audit obligations for providers, not for you as a deployer. As a deployer, you do have transparency obligations when using AI in direct public-facing contact (e.g. chatbots) and in certain high-risk applications (HR selection, credit scoring, etc.). EU-hosted inference reduces compliance burden on data transfer, but does not exempt you from AI Act deployer obligations. Consult your DPO or legal advisor for an assessment of your specific use case.

Frequently asked questions

Is EU-hosted automatically GDPR-compliant?

No. EU-hosted is a necessary but not sufficient condition. You also need a valid Data Processing Agreement, must know the sub-processors, and must have conducted a Transfer Impact Assessment if the provider has a US parent company. EU-hosting does, however, largely shield you from Schrems II issues and reduces the risk of foreign authorities demanding access.

Which providers offer EU-only inference?

Based on the Tokonomix database, OVH AI Endpoints (Gravelines, FR) and Mistral AI (EU) are the providers with an EU hosting region. Mistral AI is a French company; OVH is a European cloud provider. Note: the list in the database reflects only providers for which Tokonomix runs API benchmarks. There are more EU-hosted providers outside our database.

Does the EU AI Act change which models I can use?

The AI Act does not ban specific models for normal business applications. What is prohibited are certain applications, not models as such: real-time biometric identification in public spaces, social scoring, etc. As a deployer you must maintain additional documentation for high-risk applications (HR, financial scoring, critical infrastructure). Using a GPAI model with systemic risk? The provider carries supplementary obligations; request their conformity documentation.

What about US-headquartered providers with EU regions?

A provider such as OpenAI or Google offers EU-regional options (e.g. Frankfurt/Paris), but as a US company falls under FISA 702. This means US intelligence agencies can in principle demand access, regardless of the physical location of the data. The EU-US Data Privacy Framework (DPF, 2023) provides an adequacy decision for participating companies, but whether that is robust enough for your use case is a legal assessment. Purely EU-hosted providers without a US parent do not carry this risk.

What about non-EU models running on EU infrastructure?

Many models in the Tokonomix EU-hosted pool were originally developed by non-EU parties (US, China). That is GDPR-relevant for model training (your data is typically not involved there) but not for the processor relationship during inference. What counts is where the compute happens. If the model runs on servers in the EU, the EU-hosted benefit applies for transfer assessments — provided the provider has also correctly documented its sub-processors.

How does Tokonomix use EU-hosting for consensus calls?

In the Tokonomix consensus gateway you can set the routing_intent to 'eu'. Tokonomix will then route the request exclusively to providers whose hosting_region falls within the EU. This is relevant for applications where all participating models must run in the EU — e.g. for sector-specific compliance in healthcare or financial services. The EU pool is smaller than the global pool; expect slightly less model choice but full regional transfer control.

What is the difference between EU-hosted and EU-sovereign?

EU-hosted means: servers are in the EU. EU-sovereign (or 'data sovereignty') goes further: the provider is also legally and organisationally independent of non-EU jurisdictions, including no foreign parent company and no foreign shareholders with control. OVH and Mistral approach the sovereign model; most large hyperscalers (even with EU regions) do not. For the most demanding compliance requirements (government, critical infrastructure), sovereignty is the criterion, not just hosting.

How often is provider data updated?

Hosting region data in the Tokonomix database is updated weekly from official provider documentation. Benchmark scores are recalculated daily based on automated test rounds. If you notice a discrepancy, you can propose a correction via the feedback button on the provider page.