What does it mean that parsr's compute operator has no US parent?

Exoscale is a subsidiary of A1 Group (the Austrian incumbent telecom). It is headquartered in Switzerland with EU operations, and is not subject to the US CLOUD Act because it has no US-headquartered parent corporation. By contrast, AWS Frankfurt's compute is operated by Amazon Web Services EMEA SARL — a Luxembourg entity ultimately owned by Amazon.com Inc. (US), which is. Same physical region, very different legal exposure.

Could parsr be compelled to send EU customer data to a US authority?

No. parsr is a Belgian entity (Systemize BV). We have no US presence, no US bank account, no US legal entity, and no US-headquartered parent. EU data lives in Switzerland (Exoscale) and on Cloudflare R2 with jurisdiction='eu'. The compute path for EU customers does not pass through any US-jurisdiction processor.

What happens if I send an EU API key to the US edge?

It's rejected with HTTP 403 and an error code 'wrong_region' before any document content is read or stored. The check runs in app/api/dependencies.py:require_api_key as part of authentication — no application code paths can bypass it.

How is the 'jurisdiction=eu' setting on R2 enforced?

Cloudflare R2 with the jurisdiction='eu' parameter resolves to EU-resident endpoints only. Bucket creation contractually pins the data to EU POPs; even if a request hits a non-EU edge, the storage layer refuses the operation. Cloudflare publishes their R2 jurisdiction commitments at developers.cloudflare.com/r2/reference/data-location.

Do you use Anthropic's Claude — and is that a US processor?

Yes. We use Claude as the LLM behind extraction. EU customer traffic is routed via Anthropic's EU Bedrock endpoint where available; where not, we route through Bedrock-EU on AWS. Anthropic has signed a DPA with us covering EU customer data and offers Zero-Data-Retention on Scale+ contracts. If you require strict no-Anthropic processing, we offer an Azure OpenAI EU back-end on Enterprise — email compliance@tryparsr.dev.

Can I get a copy of your DPA, sub-processor list, and SCCs before signup?

Yes — all three are linked from the 'Documents your legal team needs' section above and are downloadable without signup. We counter-sign custom DPAs within one business day and respond to security questionnaires within three.

How do you handle GDPR data-subject requests?

DELETE /v1/data?org_id triggers a full purge of organisation data within 30 days, including R2 blobs and webhook payloads. Individual data-subject access, rectification, and erasure requests can be sent to privacy@tryparsr.dev — same 30-day SLA. Right-to-portability is satisfied via GET /v1/exports.

What's your incident response timeline if there's a security breach?

NIS2 Article 23 requires reportable incidents to be communicated within 72 hours. Our internal target is 24 hours of impact assessment, customer notification by hour 24, and a public post-mortem within 5 business days. Status page at status.tryparsr.dev is updated in near-real-time during an incident.

Is the architecture diagram above current?

It's accurate as of May 2026. We update it whenever we add or remove a sub-processor — and we email customers 30 days before any sub-processor change takes effect, so you have time to update your DORA mapping.

What if I need fully on-prem deployment?

We don't offer on-prem today. If hard on-prem is a requirement (some EU defence or healthcare buyers), Hyperscience or Rossum are the right tools. We focused on hosted EU sovereignty rather than on-prem because the DORA + NIS2 + Data Act picture made hosted-EU viable for nearly all finance use cases.

Data sovereignty · EU jurisdiction

Your documents stay in EU jurisdiction. Always.

Sovereignty in 2026 isn’t a tickbox on the order form. CLOUD Act, DORA, NIS2, and the EU Data Act Chapter VII have moved residency from compliance footnote to RFP gate. parsr enforces region binding at the API-key layer, runs compute on an EU operator with no US parent, and persists every byte to storage contractually pinned to the EU.

Read the docs Book a call

Region-bound API keysExoscale Zürich + Hetzner AshburnR2 jurisdiction='eu'DORA + NIS2 aligned

The problem

Why “GDPR-compliant” is no longer the bar

Five separate regulatory and political shifts since 2024 have moved the goalposts. A processor with a US parent — even one hosting on AWS Frankfurt — is exposed to the US CLOUD Act regardless of which EU region label appears on the dashboard. EU buyers are auditing the legal entity, not just the data centre.

The CLOUD Act, on the record

In June 2025, Microsoft’s general counsel testified under oath to the French Parliament that the company “cannot guarantee” that EU customer data hosted on Microsoft 365 is unreachable by US legal process — even when stored in EU data centres. The same exposure applies to AWS, Google, and any processor with a US parent.

French Parliament transcript, June 2025 — Microsoft testimony

DORA full enforcement (Jan 2025)

The EU’s Digital Operational Resilience Act has been fully enforced since 17 January 2025. EU financial entities are required to map and contractually constrain every ICT third-party. Sub-processors with unclear jurisdiction or unilateral termination rights are deal-blockers, not footnotes.

Regulation (EU) 2022/2554, Articles 28–30

NIS2 — 72-hour breach notification

Directive 2022/2555 was transposed into national law across EU member states in 2024–25. “Essential” and “important” entities (which now includes most fintech and accounting platforms) must report security incidents within 72 hours. That requires a sub-processor list you actually trust.

Directive (EU) 2022/2555, Article 23

EU Data Act — Chapter VII

In effect since 12 September 2025, Chapter VII restricts cross-border data access by non-EU public authorities. Translation: an EU customer’s data being subject to a US subpoena via a US-headquartered processor isn’t an edge case any more — it’s a contractual breach.

Regulation (EU) 2023/2854, Chapter VII

BSI C5 in German RFPs

The BSI C5 attestation is increasingly the de-facto bar for German finance procurement. C5-aligned operators (Exoscale, IONOS, Open Telekom Cloud) clear procurement faster than C5-absent ones — even when the data residency on paper is identical.

BSI Cloud Computing Compliance Catalogue (C5)

The Kiteworks 2025 data security report

62 % of EU finance respondents identified “sub-processor jurisdiction” as their top procurement gate, ahead of price and feature parity. We built parsr’s sovereignty model around that finding.

Kiteworks 2025 EU Data Security Survey

Our position

We took the post-2024 shift as a design constraint rather than a compliance burden. parsr’s EU region runs on operators with no US parent, with region binding enforced at the API-key level — accidental cross-border traffic is not possible by code path, even if you ask for it.

The architecture

How parsr enforces sovereignty — three layers

Sovereignty is enforced in three places: the API key prefix, the compute operator, and the storage layer. A failure in any one of them collapses the guarantee, so all three matter.

Layer 01

API key layer

Region binding, enforced at the edge

Every key carries the region in its prefix: sk_eu_live_… for EU, sk_us_live_… for US. An EU key sent to us-api.tryparsr.dev is rejected with wrong_region before any byte of the document is read. Cross-region replication does not exist as a code path — even if you ask, we cannot send your data to the other region.

Enforced in app/api/dependencies.py:require_api_key — code is open to customer review under NDA.

Layer 02

Compute layer

Exoscale Zürich · A1 Group operator

Compute runs on Exoscale’s Zürich (CH-DK-2) region. Exoscale is a subsidiary of A1 Group (Austrian Telekom). No US parent. ISAE 3402 Type II audited; BSI C5–aligned. Switzerland-based jurisdiction with EU adequacy. Our US region runs on Hetzner Ashburn, also no US-Cloud-Act exposure for EU customer traffic because EU keys never reach it.

Exoscale ISAE 3402 / BSI C5 attestations are reflected in our DPA appendix; Swiss DPAs and SCCs are pre-staged.

Layer 03

Storage layer

R2 jurisdiction='eu' · Neon EU

Object storage uses Cloudflare R2 with jurisdiction='eu' — endpoints resolve to EU-resident POPs only and the bucket is contractually EU-locked. Database is Neon Postgres on EU infrastructure with EU-only backups. No replication path off-EU exists at the infrastructure level.

<acct>.eu.r2.cloudflarestorage.com endpoint, contractually EU-locked. Neon EU project IDs documented in the sub-processor list below.

Compliance posture

What your security review will ask

Honest by default: where we’re aligned but not yet certified, we say so. Where we’re fully compliant, we say so. Don’t take a vendor that pretends.

GDPRCompliant

Article 28 DPA included by default

Standard DPA is signed during signup. Article 6 lawful basis is contractual necessity. DSAR (data subject access requests) handled via DELETE /v1/data?org_id and email to privacy@tryparsr.dev with a 30-day SLA.

DORAAligned

Operational-resilience clauses in the DPA

We sit as an ICT third-party provider in your DORA mapping (Article 28). Operational-resilience clauses (incident reporting, sub-processor change notice, exit plans) are pre-staged in the standard DPA.

NIS2Aligned

72-hour incident reporting

Sub-processor list is public; incidents reportable to customers within 72 hours per Article 23. Status page at status.tryparsr.dev gives near-real-time visibility into incident state.

EU Data ActAligned

Chapter VII — no US-jurisdiction processor

EU customer data is contractually unreachable by US legal process. Compute is on Exoscale (CH/EU); storage is on R2 with jurisdiction='eu'; billing is on Stripe EU. No US-headquartered processor sits in the EU data path.

BSI C5Aligned

C5 attestation domains mapped

Exoscale infrastructure is BSI C5–aligned. parsr application controls map to the C5 attestation domains; we publish the mapping on request for German finance procurement.

ISO 27001In progress

Audit window starts Q3 2026

We're aligned to the ISO 27001 controls today. Stage 1 audit window is Q3 2026, Stage 2 expected Q1 2027. We say 'aligned' instead of 'certified' until the certificate is in hand. Roadmap is public on /security.

SOC 2 Type IIIn progress

Type I letter expected Q4 2026

Aligned to the Trust Services Criteria today. SOC 2 Type I letter expected Q4 2026, Type II 2027. Pre-letter, we send our internal control mapping under NDA — email compliance@tryparsr.dev.

Penetration testingAnnual

Independent pen-test annually

Independent third-party penetration test annually; latest summary letter available under NDA. Bug-bounty program scopes the public API surface; private scope covers the internal admin path.

Cyber insuranceActive

€2M coverage

Cyber-liability policy with €2M per-incident coverage. Certificate of insurance available on request — we'll attach it to your custom DPA on signing.

Sub-processor list

Every party that touches your data

Your DORA mapping needs this. Your security questionnaire needs this. Most vendors hide it; we publish it. If we add a sub-processor, we email customers 30 days before the change takes effect.

Sub-processor	Location	Function	Data accessed	DPA
Exoscale (A1 Group)	Zürich, CH	Compute (EU region) — VMs and Kubernetes nodes	All document content, in flight + memory	Signed
Hetzner Online	Ashburn, VA, USA	Compute (US region) — VMs and Kubernetes nodes	All US-region document content	Signed
Cloudflare R2	EU (jurisdiction='eu') / US	Object storage — uploaded PDFs and JSON results	Document blobs; encrypted at rest	Signed
Cloudflare (edge)	EU + US POPs	Edge proxy — TLS termination, WAF, DDoS	Request headers + body in transit	Signed
Neon	EU (Frankfurt) / US	Postgres database — metadata and account state	User accounts, job IDs, no document content	Signed
Stripe	EU + US (Stripe EU for EU customers)	Billing, payment processing	Customer billing details only	Signed
Anthropic	Routed via EU + US Bedrock	LLM inference (Claude) — extraction model	Document text (no PII outside the doc itself)	Signed · ZDR available on Scale+
WorkOS	US (with EU residency option)	Authentication, SSO, MFA	Auth metadata only — no document content	Signed
Sentry (sentry.io)	EU (sentry.io EU)	Error monitoring	Stack traces; document content scrubbed	Signed
Resend	EU + US (sender domain on EU routing)	Transactional email — verification, password reset, magic link, billing	Email address + email body content	Signed
PostHog (EU)	Frankfurt, DE (eu.posthog.com)	Product analytics on the operator dashboard (app.tryparsr.dev)	Dashboard click events keyed by org_id; never document content	Signed
Better Stack	EU (logs.betterstack.com EU)	Log aggregation + uptime monitoring + status page	Structured logs (PII scrubbed); never document content	Signed
Plausible Analytics	Frankfurt, DE	Privacy-respecting site analytics on tryparsr.dev	Anonymous page views — no PII	Signed

DPA & SCCs

Documents your legal team needs

We pre-stage the documents your DORA / NIS2 / GDPR mappings need. Standard DPA online; SCCs (modules 2 and 3) attached to every paid contract. Custom DPAs welcome — counter-signed in one business day.

Standard DPA

Article 28 GDPR DPA, signed online during signup. Includes operational-resilience clauses for DORA Article 30 mapping.

Read the standard DPA

Standard Contractual Clauses

EU Commission 2021 SCCs, modules 2 and 3, attached automatically to every EU customer contract.

Read the SCCs

Custom DPA

Email compliance@tryparsr.dev with your draft. We counter-sign within one business day; security questionnaires within three.

Email compliance@tryparsr.dev

Comparison

How parsr’s sovereignty stacks up

Three vendors EU finance buyers commonly evaluate alongside parsr. Residency commitment + price are the gating factors — we keep this short.

EU sovereignty matrix · May 2026
Capability	parsr	Mindee Pro / AWS / Klippa
Operator with no US parent (EU compute)
Region binding at API key layer
Storage with jurisdiction enforcement	R2 jurisdiction='eu'	Variable per vendor
EU residency on entry-tier plan
DORA-mapped sub-processor list
Public benchmark on bank-statement accuracy	Coming Q3 2026	Mindee + Klippa benchmark internally
Years in market	Launched 2026	Mindee since 2018, AWS since forever

Detailed head-to-head: parsr vs Mindee · parsr vs Reducto.

In practice

What region binding looks like in your code

The whole sovereignty model collapses into the API key prefix. Your client picks the region; the edge enforces the constraint. There’s no “please use the EU region” flag that someone could forget to set.

python

from parsr import Parsr

# An EU-prefixed key talks to the EU edge and only the EU edge.
parsr_eu = Parsr(api_key="sk_eu_live_…")  # → eu-api.tryparsr.dev

# Sending an EU key at us-api.tryparsr.dev is a hard reject:
#
#   $ curl https://us-api.tryparsr.dev/v1/parse \
#       -H "Authorization: Bearer sk_eu_live_…"
#   { "error": "wrong_region", "expected": "us", "got": "eu" }
#
# No bytes of the document are read before the rejection.

result = parsr_eu.parse_bank_statement(document="statement.pdf")
print(result.transactions[0])

Frequently asked