How we score

Data resides in the EU by default, on infrastructure operated by the vendor or a European cloud (OVH, Scaleway, Clever Cloud, Aleph Alpha's own infra).

EU region available via a US hyperscaler (AWS, Azure, GCP). Data stays in Europe at rest, but control plane and operator are non-EU.

Data leaves the EU by default. No EU region available, or opt-in only.

GDPR built into the product. Sub-processors list in the EU, training opt-out by default, full DPA offered.

DPA available on request, training opt-out available. Some sub-processors outside the EU.

No DPA, no opt-out, or terms incompatible with Article 28 of the GDPR.

Vendor incorporated in an EU member state. No conflicting extraterritorial laws.

Vendor incorporated in a country with a valid EU adequacy decision (UK, Switzerland, Canada, Japan, South Korea, …). Exposure depends on the country's own laws.

Vendor incorporated in a country whose laws conflict with the GDPR (notably the US CLOUD Act and FISA 702, or China's data-access regime). May be disqualifying for regulated sectors.

Vendor publishes the Article 53 information (training data summary, copyright compliance, risk management) expected of general-purpose AI providers.

Some obligations met, others unclear or forthcoming.

No public information, or vendor does not fall under the AI Act but operates in the EU.

Apache 2.0, MIT, BSD. No usage caps, no royalty, no acceptable-use clauses. Irrevocable.

Vendor-specific licence (Llama community, Gemma terms, etc.). Usually commercial-ok with caveats: MAU caps, acceptable-use lists, attribution requirements. Vendor can revise terms for new versions.

Non-commercial licence. Not deployable in production.

Full list of datasets, provenance, licensing, copyright posture.

High-level description, some datasets named, others aggregated.

No public information on training data. AI Act Article 53 obligations not met.