parsr.

EU sovereignty, in detail

Stored in Frankfurt by AWS isn't enough any more.

DORA full enforcement (Jan 2025), NIS2, the EU Data Act Chapter VII (Sept 2025), and BSI C5 have moved data residency from "compliance footnote" to RFP gate. A processor with a US parent — even hosting in Frankfurt — is exposed to the US CLOUD Act regardless of which AWS region you pick. Microsoft's general counsel admitted this under oath to the French Parliament in June 2025.

We took that as a signal. parsr's EU region runs on operators with no US parent, with region binding enforced at the API-key level so accidental cross-border traffic isn't possible.

The architecture

Where your bytes physically sit

Compute

Exoscale Zürich (CH-DK-2). A1 Group operator (Austrian Telekom subsidiary), no US parent.

ISO 27001 / ISAE 3402 / BSI C5–aligned · Swiss data-protection jurisdiction

Object storage

Cloudflare R2 with jurisdiction='eu' — EU-resident endpoints, no transit to non-EU regions.

<acct>.eu.r2.cloudflarestorage.com endpoint · contractually EU-locked

Database

Neon Postgres on EU-resident infrastructure. Backups stay in EU.

EU-only Neon project · backup retention policy documented

Edge proxy

Cloudflare in front of every endpoint. WAF, DDoS, TLS termination at the EU edge.

Cloudflare EU regional services available; Authenticated Origin Pulls between CF and our boxes

Payment / billing

Stripe handles cards (EU-resident customer records). We never touch card numbers.

Stripe Billing Meters — usage events EU-resident

Region-binding (the unique bit)

Every API key carries `eu` or `us` in its prefix. Cross-region calls reject before reading any document.

Enforced in app/api/dependencies.py:require_api_key — code-reviewable

What region binding means in practice

One API key per region. Enforced at the edge.

Your API key carries the region in its prefix: sk_eu_live_… for EU customers, sk_us_live_… for US. An EU key sent to us-api.tryparsr.dev is rejected with wrong_region before any document is read. Cross-region replication doesn't exist as a code path — even if you ask, we cannot send your data to the other region.

Compliance posture

What your security review will ask

DORA (Digital Operational Resilience Act)

Full enforcement since 17 Jan 2025 for EU financial entities. parsr is positioned as a compliant ICT third-party provider — DPA includes operational-resilience clauses.

NIS2

EU Directive 2022/2555 transposed into national law in 2024–25. Sub-processor list public; security incidents reportable within 72 hours per Article 23.

EU Data Act

Chapter VII (cross-border data access by non-EU authorities) applies since Sept 12 2025. parsr's EU compute path has no US-jurisdiction processor; EU customer data is contractually unreachable by US legal process.

BSI C5 alignment

Exoscale infrastructure is BSI C5–aligned. parsr application controls map to C5 attestation domains (we publish the mapping on request).

ISO 27001 / SOC 2

ISO 27001 audit window starts Q3 2026. SOC 2 Type I letter expected Q4 2026, Type II 2027. Detailed roadmap on /security.

GDPR data subject requests

Data-subject access, rectification, erasure all handled via DELETE /v1/data?org_id=… and email to privacy@tryparsr.dev. 30-day SLA.

Need a DPA, security questionnaire, or sub-processor list?

Email compliance@tryparsr.dev. We counter-sign DPAs within one business day; security questionnaires turn around inside three.

See the full security posture