Data Sovereignty as a Solo Founder: What Actually Happened

Data sovereignty for a solo founder means 20+ individual infrastructure decisions, each with a different trade-off between control, cost, and capability. Five months of building an AI system on self-hosted German infrastructure taught me that sovereignty is a spectrum, not a binary. Here's what that looks like in practice.

I wanted everything self-hosted in Germany. Five months later, here's the reality.

When I started building intentic in September 2025, data sovereignty was a non-negotiable principle. Everything self-hosted. Everything in Germany. Full control over every byte.

Five months in, my infrastructure looks different from what I imagined. Not because I gave up on the principle, but because sovereignty turns out to be 20+ individual decisions, each with a different trade-off. And the honest version of that story is more useful than the binary narrative most articles tell.

Why this matters beyond my project

This isn't a niche compliance debate anymore. The ground is shifting fast.

In June 2025, Bitkom surveyed 604 German companies. 82% want European hyperscalers that can compete with AWS, Azure, and Google. 78% see Germany as too dependent on US cloud providers. And 50% of cloud users say the current US administration's policies are forcing them to rethink their cloud strategy entirely (Bitkom Cloud Report 2025).

Those numbers exist for a reason. On June 10, 2025, Microsoft France's legal director Anton Carniaux testified under oath before the French Senate. Asked whether he could guarantee that French citizens' data would never be transferred to US authorities: "Non, je ne peux pas le garantir." No, I cannot guarantee that (The Register, actuia.com).

That's not a theoretical risk. That's a sworn statement from Microsoft's own legal team confirming what many suspected: the US CLOUD Act overrides whatever technical safeguards or EU hosting arrangements you put in place.

The CLOUD Act doesn't care where your servers are.

Meanwhile, the EU-US Data Privacy Framework that enables legal data transfers is under pressure. The Trump administration removed PCLOB members essential to the framework's oversight (IAPP, March 2025). Max Schrems and noyb are reviewing options for a broader legal challenge (noyb, September 2025). NIS2 has been in force since December 2025, affecting roughly 30,000 organizations in Germany alone.

If you're building a B2B product in Europe, this is your operating environment.

The good news: Europe is building real alternatives

The European cloud ecosystem is getting serious investment. Companies like STACKIT, backed by the Schwarz Group (€167B revenue), are building genuine European hyperscaler infrastructure with an €11B data center commitment. The group employs 575,000 people and operates 14,200+ retail locations. A strategic partnership with Germany's BSI was signed at the Munich Security Conference in February 2026. BSI C5 Type 1+2 certification. Open source foundations (schwarz-digits.de, BSI press release, Feb 2026).

A family-owned company that already operates one of Europe's most critical supply chains is now building sovereign cloud infrastructure. That's not the easiest path. It's the right one.

But sovereign hyperscalers solve the enterprise and public sector problem. My problem was different: How does a solo founder with zero budget and no legal department navigate sovereignty for an AI-powered system?

My starting point: Hetzner

The first decision was the easiest. Hetzner over AWS.

Three reasons, all equally weighted. GDPR: German company, German data centers, no US parent entity. Cost: I'm bootstrapped, every euro counts. And control: I wanted to understand my infrastructure, not abstract it away behind managed services.

The cost difference was significant. My entire production stack runs for roughly €40-80/month on Hetzner. A comparable AWS setup would cost $200-400+. As a bootstrapped solo founder, that made the decision straightforward.

What went sovereign (and was surprisingly easy)

Most of my infrastructure lives entirely on Hetzner in Germany. PostgreSQL with pgvector. Redis for job queues. Traefik as reverse proxy with TLS termination. Authentication via Authentik and SuperTokens. All self-hosted, all in Germany.

The most deliberate decision was self-hosting Langfuse for LLM observability. Every trace from my AI pipeline contains business context about the companies being analyzed. Prompts, extracted competitor data, financial signals. Sending that to a US-hosted observability service would undermine the entire premise. Self-hosted Langfuse keeps all of that in Germany.

These decisions weren't heroic. PostgreSQL on Hetzner just works. Redis on Hetzner just works. The tooling is mature, the documentation is solid, and the cost is a fraction of managed cloud alternatives. If your stack is standard infrastructure, sovereignty is surprisingly achievable.

Where sovereignty breaks down: AI services

The obvious question: why not self-host AI models too?

Because running LLMs locally requires GPU infrastructure that costs thousands per month. A single A100 GPU on Hetzner or comparable providers starts at €2-3/hour. My pipeline runs multiple models across different phases, sometimes in parallel. The economics of self-hosted inference don't work at my scale. I need access to frontier models at per-token pricing, not dedicated GPU hardware. That means API providers. And the best API providers for LLM routing and specialized search are US-based.

intentic runs an AI pipeline that analyzes companies' go-to-market strategies (you can try a free analysis at gtm.intentic.io). That pipeline needs three things I couldn't find European alternatives for at the time I made these decisions:

LLM routing. I use OpenRouter to route inference across multiple models (Gemini, GPT) with automatic fallback chains. OpenRouter is a US company. They offer EU routing (eu.openrouter.ai) and support Standard Contractual Clauses, but they're still subject to US jurisdiction.

Company research. Exa provides neural search optimized for structured company data: financials, team size, geographic presence. It's the best at what it does. It's also US-based, SOC 2 Type II certified, but their default behavior includes training on query data. That's worth knowing if you care about data sovereignty.

Market intelligence. Tavily provides web research with AI-synthesized answers. Excellent for market trends, buyer journey data, competitive intelligence. US-based, has a Trust Center, but GDPR mechanisms were unclear when I evaluated them.

I made a pragmatic decision: use the best services available and mitigate technically. Only public company data goes to these APIs, never personal user data. Standard Contractual Clauses where available. Zero Data Retention where offered.

That's the trade-off. My infrastructure is sovereign. My AI services are not. And I was honest about that from day one.

The messy middle nobody talks about

The binary narrative ("self-host everything" vs. "just use AWS") skips the part that actually takes time and energy. The messy middle.

Writing a privacy policy as a non-lawyer. Bilingual (German/English), all GDPR Article 13/14 disclosures, transparent about which data goes where and why. I spent more time on this than on some product features.

Exa's training default. Exa trains on query data by default. For a system that sends company URLs and growth goals to the API, that's worth knowing. Opting out requires specific action, and Zero Data Retention is only available at Enterprise tier.

Understanding what the CLOUD Act actually means for your specific data flows. Not in theory, but concretely: which data leaves the EU, what category is it, what's the actual risk? For intentic, only public company data that's already on the open web goes to US APIs. User data stays in Germany. That distinction matters.

This is a learning project for me. I'm not building this with a compliance department behind me. I'm figuring out how to build a complex AI system as a non-programmer, and data sovereignty is one of the chapters. (The development workflow itself was another one.) The decisions I'm making are pragmatic, not perfect.

The trade-off matrix

Not every component needs the same level of sovereignty. Here's how I think about it:

Component	Location	Sovereignty	Why
Database (PostgreSQL)	Hetzner DE	Full	Contains all user and analysis data
Cache/Queue (Redis)	Hetzner DE	Full	Processing pipeline data
LLM Observability (Langfuse)	Hetzner DE	Full	Traces contain business-sensitive context
Authentication	Hetzner DE	Full	User identity data stays in EU
Secrets Management (Doppler)	SaaS	Partial	No customer data, only API keys
LLM Routing (OpenRouter)	US	Mitigated	SCCs, EU routing available, only public data sent
Company Research (Exa)	US	Mitigated	SOC 2, only public company data sent
Market Research (Tavily)	US	Mitigated	SCCs requested, only public data sent
Email (Resend)	US	Acceptable	DPF-certified, cleanest legal basis for US transfers

The pattern: anything touching user data or business-sensitive analysis stays in Germany. External AI services only receive public company information that's already available on the open web.

The market is moving

The European AI infrastructure ecosystem is growing faster than I expected. When I made these decisions in late 2025, some of the alternatives that exist today weren't available or weren't mature enough.

LLM routing, search APIs, inference platforms. I haven't evaluated these alternatives yet, so I can't vouch for quality or production-readiness. But the fact that they exist matters.

Open question to anyone reading this: If you know top-tier EU-based alternatives for LLM routing or AI-powered web research APIs that you've actually used in production, I'd genuinely like to hear about them. Not theoretical alternatives. Services that work.

Three takeaways for builders

Sovereignty is a spectrum, not a binary. You don't need 100% self-hosted to make responsible choices. Map your data flows, identify what's sensitive, and protect that first. Public company data going to a US search API is a different risk category than user PII going to a US analytics tool.

Start sovereign where it's cheap, mitigate where it's not. Database, cache, auth, observability: self-hosting these on Hetzner is both cheaper and more sovereign than managed cloud alternatives. AI services are harder. Accept the trade-off, document it, and have a plan.

The compliance work is harder than the technical work. Setting up PostgreSQL on Hetzner took hours. Writing a GDPR-compliant privacy policy, understanding the CLOUD Act implications for my specific data flows, figuring out which provider trains on what by default: that took weeks. If you're building in Europe, budget time for this. It's not optional, and it's not fast.

The sovereignty landscape in Europe is changing faster than most people realize. What felt like "no alternatives" six months ago is becoming "evaluate the alternatives" today. For anyone building in the EU right now: the infrastructure is getting there. The biggest remaining gap is in specialized AI services, and that gap is closing.

Build pragmatically. Document your trade-offs. And keep watching the market.

Frequently Asked Questions

Is self-hosting always cheaper than cloud?

For standard infrastructure like databases, caching, and authentication, self-hosting on providers like Hetzner costs roughly 3-5x less than equivalent AWS managed services. The exception is AI inference: GPU costs make self-hosted LLMs impractical below enterprise scale. A single A100 starts at €2-3/hour.

Does the CLOUD Act apply to EU-hosted data?

Yes, if the provider is a US company. The CLOUD Act can compel data disclosure regardless of server location. Microsoft France confirmed this under oath before the French Senate in June 2025. Using a European provider with no US parent entity is the only way to fully avoid CLOUD Act exposure.

Can a solo founder realistically achieve GDPR compliance?

Yes, but budget more time for compliance than for technical setup. Writing a GDPR-compliant privacy policy, mapping data flows, and understanding provider-specific data handling took weeks. Technical infrastructure setup took hours. The compliance gap is the most underestimated part.

What happens if the EU-US Data Privacy Framework collapses?

Companies relying solely on the DPF for US data transfers would need to fall back on Standard Contractual Clauses or stop transfers entirely. Building sovereignty incrementally now means less disruption if the framework fails. The PCLOB situation and ongoing noyb challenges make contingency planning prudent.

---

Pedram Shahlaifar comes from B2B go-to-market, not engineering. He's building intentic as a learning project, using AI to build an AI system, and writes about the trade-offs along the way. Connect on LinkedIn.