Art. 28 GDPR · Last reviewed May 9, 2026

Data Processing Agreement and sub-processors

This page lists processors under Art. 28 GDPR that may process personal data within VAND. The processors actually used by your workspace depend on the selected data boundary and enabled models.

Local
Your own or on-premises infrastructure only; no cloud inference.
EU
EU/EEA hosting with GDPR-compliant data processing agreements.
Global
Global providers, including providers outside the EEA, only when workspace policy permits them.
Filter:
Hetzner Online GmbHLocal
Hosting of the primary PostgreSQL database, application and object storage
Falkenstein / Nuremberg·Germany·DPA
VANDLocal
Air-gapped on-premises model inference and local embeddings
Processing remains within the workspace environment; there is no external transfer.
Berlin·Germany·internal
Aleph Alpha GmbHEU
Sovereign LLM inference for Luminous and Pharia models
Heidelberg·Germany·DPA
Mistral AI SASEU
EU-sovereign LLM inference for Mistral and Codestral models
Paris·France·DPA
Microsoft Ireland Operations LimitedEU
Optional, customer-activated SSO through Microsoft Entra ID and email delivery
Dublin·Ireland (EU)·DPA
OpenRouter, Inc.Global
Routing to global model providers such as OpenAI, Anthropic and Google, only when the Global data boundary is allowed
California·United States·DPA
OpenAI, L.L.C.Global
GPT model inference when configured directly, only when the Global data boundary is allowed
San Francisco·United States·DPA
Anthropic, PBCGlobal
Claude model inference when configured directly, only when the Global data boundary is allowed
San Francisco·United States·DPA

How does the selection affect your workspace?

The workspace-wide data boundary under Settings → Privacy determines which processor groups can be used:

  • Local only local processors are eligible.
  • EU local and EU processors are eligible.
  • Global local, EU and global processors are eligible. Global transfers require an appropriate risk assessment and transfer mechanism.

Administrators may apply stricter data boundaries to individual capabilities. Server-side policy checks still run on every model request.

Conversation classification

A conversation can additionally be classified as Restricted. Restricted conversations are never sent to Global processors, even when the workspace data boundary would otherwise allow them.

Requests and Data Processing Agreement

A signature-ready DPA is available on request from legal@vand.ai. We update this overview within 14 days after putting a new sub-processor into operation.