Where does my data go when I use an AI model?

It depends on the provider. US models (OpenAI, Anthropic, Google, Microsoft) process under US jurisdiction including the CLOUD Act. Mistral processes in the EU. Chinese APIs (DeepSeek, Qwen, Kimi) store data in China. Self-hosting any open-weight model keeps data on your own infrastructure.

Which AI is best for GDPR compliance?

Mistral is GDPR-native and EU-resident. Anthropic, OpenAI (enterprise), Google and Microsoft can also be operated in GDPR-compliant ways with the right tier and EU data residency. Self-hosting an open-weight model in the EU gives you full control.

What is the CLOUD Act?

The US CLOUD Act allows US authorities to compel US-based providers to hand over data they control, even if stored abroad. It is the main reason some non-US organisations prefer EU-resident or self-hosted models for sensitive data.

AI Data Sovereignty Comparison

Four jurisdictions, one decision: US (CLOUD Act reach), EU (GDPR-native), China (data stored in China), or your own infrastructure (self-hosted open weights). Match the model's jurisdiction to your data's legal requirements before anything else.

Where each model's data goes

Model	Jurisdiction	Self-hostable?	Best for
Claude (Anthropic)	US	No	US/EU enterprise, regulated with DPA
GPT (OpenAI)	US	No	General enterprise (EU residency available)
Gemini (Google)	US	No	Google Workspace orgs
Microsoft Copilot	US	No	Microsoft 365 orgs, EU data boundary
Mistral	EU	Yes	EU sovereignty, regulated industries
Llama 4 (Meta)	US (or your infra)	Yes	Self-hosted privacy
DeepSeek / Qwen / Kimi / GLM / MiniMax	China (API)	Yes (weights)	Budget; self-host for compliance

What each jurisdiction means

US — subject to US law including the CLOUD Act, which can compel US providers to produce data even if stored abroad. Adequate for most businesses with a DPA; a consideration for highly sensitive non-US data.
EU — GDPR-native, data resident in the EU. The strongest fit for European personal data. Mistral is the frontier-class option.
China — hosted APIs store data in China under laws that can compel disclosure. Multiple governments restrict these for official use. Mitigate by self-hosting.
Self-hosted — open weights on your own infrastructure: jurisdiction becomes your choice. Maximum control, maximum complexity.

Match jurisdiction to your data

Your data	Safe choices
EU personal data	Mistral, EU-resident enterprise tiers, or self-hosted in EU
US business data	Anthropic, OpenAI, Google, Microsoft
Regulated (HIPAA/financial)	Compliant enterprise tiers or self-hosted
Non-sensitive / internal	Any, including Chinese APIs for cost
Maximum control	Self-host an open-weight model

On the homepage comparison table, the jurisdiction flag and "self-host" badge appear on every model, and you can filter to EU-safe or self-hostable.

Next steps: run the privacy checklist, weigh the China risk, and read self-host vs API for the deployment trade-off.

AI data sovereignty: where does your data go?

Where each model's data goes

What each jurisdiction means

Match jurisdiction to your data