Trust & compliance
Sovereignty you can verify
EU jurisdiction, no Cloud Act exposure, and an honest compliance roadmap. We never claim a certification we do not hold.
What is true today
- Data hosted exclusively in the EU
- EU company (Yggdrasil Digital SASU, France)
- No US parent — no Cloud Act exposure
- EU AI Act-aligned architecture (deployer/provider docs)
- GDPR — DPA available on request
- SecNumCloud — qualification in progress (target 2027)
Certifications & frameworks
GDPR
ActiveData hosted exclusively in the EU. DPA and processing register available on request.
EU AI Act
ActiveNative compliance architecture — deployer and provider documentation available.
SecNumCloud
In progress · 2027Qualification in progress — documented J0/J1 path for sensitive workloads.
ISO 27001
Planned · 2028ISO 27001 certification planned — ISMS being deployed.
SecNumCloud roadmap
2026 Q2
Phase 1 — Architecture
- Firecracker isolation
- Encryption at rest
- Customer sovereign keys
2026 Q4
Phase 2 — Qualification
- Preparatory ANSSI audit
- J0/J1 documentation
- Penetration testing
2027
Phase 3 — Certification
- SecNumCloud submission
- Sensitive-data hosting
- Dedicated enterprise support
EU AI Act
Deployer documentation for AI systems hosted on Citadea — available before enterprise GA.
EU AI Act deployer checklist
- AI system register and documented risk classification
- Traceability of inference logs and automated decisions
- Human oversight for high-risk systems
- Training and inference data hosted in the EU
- DPA and up-to-date subprocessor list on /trust
- Incident notification procedure (< 72 h)
Subprocessors
NamePurposeLocationUpdated
CloudflareCDN / DDoS edge protectionEU2026-06-01
StripePayments (EU entity)EU2026-06-01
ResendTransactional emailEU2026-06-01
EDFPower supplyFrance2026-06-01