Glossary

The EU AI and data-sovereignty glossary

Plain-language definitions of the terms that come up when you deploy AI compliantly in Europe, from the GDPR to the EU AI Act to the CLOUD Act.

GDPR: The General Data Protection Regulation, the EU law governing how personal data is collected, processed and protected. It applies to any organisation handling EU residents' data and carries fines up to 4% of global turnover.
EU AI Act: The EU's risk-based regulation of artificial intelligence. It classifies systems into prohibited, high-risk, limited-risk and minimal-risk tiers, with escalating obligations for documentation, oversight and transparency.
Data sovereignty: The principle that data is subject to the laws of the country in which it is stored and processed. Keeping data in the EU means it stays under EU law, not foreign jurisdiction.
Data residency: The physical or geographic location where data is stored. EU data residency means the servers holding your data sit within the EU.
CLOUD Act: A US law that can compel US-based providers to hand over data they control, even when that data is stored outside the US. This is why a US company hosting data 'in the EU' may still be legally reachable.
Schrems II: A 2020 EU court ruling that invalidated the Privacy Shield framework and tightened the rules for transferring personal data to the US, reinforcing the case for keeping data in the EU.
High-risk AI system: Under the EU AI Act, a category of AI use (such as in employment, credit, or essential services) subject to strict requirements for risk management, documentation, human oversight and transparency.
Sub-processor: A third party engaged by a data processor to help process personal data. The GDPR requires that sub-processors be disclosed and bound by equivalent data-protection obligations.
DPA (Data Processing Agreement): A contract required by the GDPR between a data controller and a processor, setting out how personal data may be handled. Not to be confused with a Data Protection Authority.
Data Protection Authority: The national regulator that enforces the GDPR in each EU country, such as the CNIL in France or the BfDI in Germany.
Open-source model: An AI model whose weights are publicly available, so it can be self-hosted and run on infrastructure you control, rather than only via a vendor's API.
Inference: The process of running a trained AI model to generate output. Where inference happens determines where your prompt data is processed.
Self-hosting: Running software, including AI models, on infrastructure you operate, rather than as a managed cloud service. It maximises control and sovereignty.
Special-category data: Under GDPR Article 9, sensitive data such as health, biometric, or political information, subject to stricter processing conditions and higher penalties.
Data Protection Officer (DPO): A role required for many organisations under the GDPR, responsible for overseeing data-protection strategy and compliance.
Audit log: An immutable record of actions taken in a system, such as who queried an AI model and what documents were accessed, used to demonstrate compliance.
Risk classification: The process under the EU AI Act of determining which risk tier an AI use case falls into, which then dictates the obligations that apply.
Sovereign cloud: Cloud infrastructure operated under EU control and law, designed to be insulated from foreign government access requests.

One arrow. One direction. Forward.

Bring AI into your business, without giving up your data.

Join the waitlist. We're onboarding GDPR-sensitive SMEs across Europe.