Public infrastructure inventory

What runs where.

We claim a 100% EU-operated stack with no US vendors in the data path. This page is the checkable version of that claim. Every component, every provider, every location.

compute and storage core data path

orchestrator

Scaleway Serverless Containers · Paris, FR

database

Scaleway Managed PostgreSQL · Paris, FR

registry

Scaleway Container Registry · Paris, FR

ciphertext

Scaleway Object Storage (S3-compatible) · Paris, FR

site hosting

Scaleway Object Storage + Edge Services · Paris, FR

network and delivery

dns

deSEC · DE

Scaleway Transactional Email (TEM) · FR

payments

Mollie · NL

observability self-hosted where possible

errors

Self-hosted GlitchTip

analytics

Self-hosted Plausible · no cookies · no cross-site tracking

monitoring

Scaleway Cockpit + self-hosted Grafana · FR / self-hosted

development

source / ci

GitHub (private today); Codeberg when public

note

GitHub is a US vendor. Source control and CI are not in the customer data path. Your encrypted backups, receipts, and keys never touch GitHub infrastructure. When the agent and verifier repos go public, they move to Codeberg (DE).

Honest caveats.

AMD designs the x86 and SEV-SNP silicon that Scaleway's servers run. AMD is a US company. The CPUs are physically located in French data centres operated by a French company. The distinction matters: hardware design origin is not the same as operational jurisdiction. No European chip vendor offers equivalent confidential-compute attestation today.

GitHub hosts source code and runs CI. It is not in the customer data path, but it is in the supply chain. The plan is to migrate the public-facing repos to Codeberg (DE) when the agent goes open source. Until then, reproducible builds and minisign signatures let you verify released binaries independently of where the source is hosted.

Why publish this.

"EU-only" is easy to claim and hard to verify without a list. Publishing the full inventory means your security team can cross-check every vendor against their own requirements before signing a DPA. If a component changes, this page updates first.

Verification keys and signing fingerprints live on the trust page.