Belgian operators ask compliance questions early. The answers below are the ones we'll actually defend in a meeting. Where we're catching up, we say so. Where we're solid, we say what's signed and shipped. Compliance is a product feature, not a marketing strip.
Mixed today: client systems run on EU regions (eu-west, eu-central) when the buyer asks; some model APIs (Anthropic, OpenAI) still touch US infrastructure depending on the endpoint. If your project needs EU-only from day one, we configure it.
Standard GDPR Article 28 DPA in preparation. We share the current draft on request once we're scoping an engagement together, after counsel review. We don't publish a self-serve PDF until the language is enforceable.
The Act is in force; obligations land in waves through 2026–2027. We can flag risk-tier classification on Audit deliverables and we're building it into the Build template. If a system you're scoping looks like it might land in High-risk or GPAI territory, we'll say so before we contract.
Client data is encrypted in transit and at rest, never used to train models (we contract this with the model providers we use), and exportable on request at any time. Standard GDPR rights are wired into the DPA. Access, rectification, erasure, portability. With Article 12 timelines.