European infrastructure.
No compromises.

Hetzner. Falkenstein and Nuremberg. ISO 27001 + SOC 2 Type II. No US Cloud Act.

anymize runs exclusively on European infrastructure. Not at a US company with a data center in Frankfurt. But at a European hosting provider (Hetzner Online GmbH, Germany), in EU data centers, under EU data protection law. Your data is subject to no foreign access regime. No Cloud Act. No FISA 702. No EU-US Data Privacy Framework interpretation gymnastics.

Where your data livesStart for free

Where your data lives

Hetzner.
European data centers.

No parent company abroad, no Frankfurt server with a Californian registered address. A European company (Hetzner, Germany), operating in EU data centers, under EU data protection law.

01 / 04

The provider: Hetzner Online GmbH

Hetzner is one of Europe\u2019s leading hosting providers \u2013 headquartered in Gunzenhausen, Bavaria (Germany). European company, European commercial register, EU tax ID. That\u2019s not a detail, it\u2019s the foundation of every compliance argument: the operator is subject to EU law, not to foreign jurisdictions.

02 / 04

Locations: Falkenstein and Nuremberg

Our data sits in two Hetzner locations in Germany: Falkenstein/Vogtland \u2013 primary site, the largest Hetzner data center with several independent buildings. Nuremberg \u2013 secondary site for redundant components. Both locations are entirely within the EU. No shadow replication to non-EU countries. No \u201cglobal region\u201d that includes a node outside Europe.

03 / 04

Redundancy and backups

Backup strategy: daily backups, geo-redundant and mirrored within the EU. Availability SLA: 99.9 % (enterprise SLAs negotiable). Data-protection-relevant specialty: no node outside the EU, not even in a backup-failover scenario.

04 / 04

Infrastructure sustainability

Hetzner data centers run on 100 % renewable energy. For customers running ESG reporting, the corresponding certificates are available. That may sound like a side topic \u2013 it isn\u2019t: anyone maintaining CO\u2082 inventories often only gets rough \u201ccarbon neutrality\u201d claims from US hyperscalers. At Hetzner, the energy source is specifically nameable.

Certifications

What the data centers
already prove today.

The Hetzner data centers where anymize runs are externally audited and carry the relevant industry standards:

ISO 27001

Meaning
Information security management
Relevance for you
Evidence for audits and supplier due diligence

ISO 27018

Meaning
Data protection in the cloud
Relevance for you
Additional requirements specifically for personal data

SOC 2 Type II

Meaning
Operational security controls, continuously audited
Relevance for you
Standard evidence used by European subsidiaries of US parent companies

ISAE 3402 Type 2

Meaning
Audit standard for outsourced services
Relevance for you
Important for auditors’ mandates

Important context

These certificates apply to the data centers, not automatically to the anymize platform itself. For anymize’s own certifications, see our certification roadmap further down.

No US Cloud Act

Why “servers in Frankfurt”
is not enough.

The location of the server does not determine who can access the data.

What matters is who owns the company that operates the server. That is the misconception running through most compliance discussions.

The structural difference

EU hosting at a US company

  • Servers physically in Europe
  • Operator subject only to EU / national European law
  • No access by US authorities possible
  • Protection via a Schrems II-compliant structure
  • No corporate-group clause abroad

European company (anymize approach)

  • Servers physically in Europe
  • Operator subject only to EU / national European law
  • No access by US authorities possible
  • Protection via a Schrems II-compliant structure
  • No corporate-group clause abroad

The legal situation in brief

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) and FISA Section 702 oblige US companies to hand over data on request by US authorities – regardless of where the data physically resides. That affects:

  • Microsoftincluding Azure data centers in Europe
  • Amazonincluding AWS Frankfurt
  • Googleincluding Google Cloud Belgium / Germany
  • Oracle, IBM, Salesforceand every other US subsidiary group

The CJEU ruled in Schrems II (2020) that US surveillance law is incompatible with the GDPR. The EU-US Data Privacy Framework (2023) does not change that in substance – data protection officers and supervisory authorities continue to advise structural independence over formal workarounds.

What that means for you

Every anymize component runs on European infrastructure at a European-owned company (Hetzner, Germany). No US parent company, no corporate-group clause, no access scenario via third countries. Your data is subject exclusively to EU data protection law – and therefore to the GDPR’s protection standards without interpretation risk.

This applies to our own models Waterfall and Fountain at 100 %: the models run in our European infrastructure, the data never leaves the EU. For international frontier models (GPT, Claude, Gemini), automatic anonymization solves the problem: the data is anonymized before it leaves the European data center – which takes it out of the scope of the US Cloud Act.

Data flow

What runs where.
In detail.

Transparency about the actual data flow is the foundation for audit evidence and DPO conversations. In brief:

Components in the EU

with us on Hetzner (Falkenstein and Nuremberg, Germany)

EU
01

Anonymization pipeline

The three-stage PII detection runs entirely within the EU.

02

Hash-to-original mappings

The mapping between placeholder and original data (for rehydration) is stored exclusively within the EU.

03

Our own AI models

Waterfall and Fountain are operated by us; inference happens within the EU.

04

Chat histories, knowledge bases, projects

All user-specific content sits on Hetzner.

05

Billing, account data, audit logs

Florentin.ai (also GRVITY group, Kiel, Germany).

Components that may be external providers

only with anonymization upfront

optional

International frontier models

OpenAI, Anthropic, Google, Mistral, Perplexity, Moonshot – called only when you explicitly choose them. Sensitive data is automatically anonymized before transmission. What the model sees are placeholders.

Voxtral Transcribe 2

Mistral, European provider – for live transcription, self-hosted by us in the EU.

Image generation models

For image creation, external models (currently Nano Banana, OpenAI Image) are used; prompt content is anonymized beforehand if necessary.

The clear rule

Original data never leaves the EU.

What arrives at external models is either already anonymized content or content without personal reference. That’s not marketing – it’s the architectural core decision that makes Cloud Act protection possible in the first place.

Our own certification roadmap

What we’re
working on next.

The Hetzner data centers are certified. For the anymize platform itself (the application layer) we are working on our own certifications:

ISO 27001 (anymize platform)

Standard evidence, often a minimum requirement in tenders

in preparation, planned for 2026

SOC 2 Type II (anymize platform)

Continuous controls review, for enterprise deals

in preparation, planned for 2026

BSI C5:2026

German government-cloud gold standard; also recognised by regulated industries across Europe

planned for 2027

For active tenders or audits, we provide enterprise customers with the full TOM documentation (technical and organizational measures) and a completed security questionnaire on request.

Transparency note

Certifications are processes, not button presses. We communicate target dates honestly and will actively inform you about delays. No silent slips.

Who it’s for

Who should care about
“European infrastructure”.

Public administration

NIS2 compliance, national IT-baseline-protection frameworks (in Germany: BSI C5 / IT-Grundschutz), public procurement law

Banks and insurers

Banking secrecy, DORA requirements, national insurance-supervision codes (in Germany: VAG / BaFin oversight)

Hospitals and clinics

National medical-confidentiality rules (in Germany: § 203 StGB under the Criminal Code), KRITIS / NIS2 classification (from a certain size), national hospital-digitization funding (in Germany: KHZG)

Lawyers

Professional-confidentiality frameworks across European jurisdictions (in Germany: § 43e BRAO), mandate secrecy, professional oversight by the bar

Industry with trade secrets

Technology protection against export jurisdictions, EU Trade Secrets Directive and national Trade-Secrets Acts

Consultancies with international clients

Avoid US Cloud Act risks in the consulting IT landscape

And generally: any organization whose data protection officer opens every follow-up meeting with a US hyperscaler using “yes, but what if” gets an answer from anymize that needs no workarounds.

What you should know about the infrastructure.

Frequently asked questions

At Hetzner Online GmbH, a European hosting company headquartered in Gunzenhausen (Bavaria, Germany). The servers sit in the Hetzner data centers in Falkenstein (Vogtland) and Nuremberg. No node outside the EU, not even in backup.

Start now.
14 days free trial.

All models. All features. No credit card.

Start for freeHow it works

We stand behind anymize. And we know – when an AI tool touches client, patient or employee data, a demo video isn't enough. That's why we give you 14 days of full access – all models, all features, no credit card. Enough time to be certain, before you trust us.

Your AI workplace awaits.