// security & compliance

Compliant by architecture,
not by policy.

Compliance here isn't a checkbox or a setting — it's a property of how the platform is built. Zero logs, EU-only processing, and nothing of yours ever trains a model.

// zero logs

Your data passes through. It never stays.

A request enters one EU endpoint, is answered in memory, and the response streams back. Then it's gone — no prompt, no completion, nothing retained.

Processed · transient
  • Your prompt — in memory, in the EU
  • Model routing & inference
  • The completion streamed back to you
Stored · for billing only
  • API key metadata
  • Aggregate request & token counts (for billing)
Never stored
  • Prompts
  • Completions
  • Your documents or code
  • Anything that trains a model

// regulatory coverage

The regulation, and how we meet it.

The frameworks that decide where European AI workloads can run — and what the architecture does about each one.

EU AI Act

Enforcement Aug 2, 2026

Governance, transparency and risk obligations for AI systems used in the EU.

HelmcodeZero training on your data, EU-only processing and a traceable, auditable stack — compliant by architecture, before the deadline.

GDPR

In force

Personal data of EU residents must be processed lawfully and kept in-region.

HelmcodeInference runs exclusively on EU infrastructure with zero logs. No prompt or completion is ever persisted.

DORA

Financial sector · in force

Operational resilience and third-party risk controls for EU financial entities.

HelmcodeDedicated and on-premise deployments with full isolation, contractual SLAs and an auditable supply chain.

US Cloud Act

Out of scope

Compels US-headquartered providers to hand over data — even when stored in an EU region.

HelmcodeHelmcode infrastructure is EU-owned and EU-operated, outside US jurisdiction. The Cloud Act does not reach it.

// the residency trap

An EU region isn't EU sovereignty.

A hyperscaler's EU-West region keeps your bytes in Europe — but the company operating it answers to US law. That's the gap GDPR cares about, and it's the whole reason Helmcode exists.

Hyperscaler · EU region

Operated by a US-headquartered company

Subject to the US Cloud Act, despite EU storage

Data can be compelled out of region

Helmcode · EU

EU-owned and EU-operated infrastructure

Outside US jurisdiction — Cloud Act doesn't reach it

Processed in-region, with zero logs

// controls

How it's enforced.

Compliance you can point to — concrete controls built into the platform, not promises in a policy doc.

EU-only processing

Every request is served inside the EU — never routed to a US hyperscaler.

Zero retention

Prompts and completions are processed in memory and discarded. Nothing is logged.

No training on your data

Your prompts, documents and code never enter a training set. Ever.

Network isolation

Dedicated and on-premise run fully isolated — air-gappable for the strictest needs.

Encryption in transit

TLS 1.3 on every connection to the API, end to end.

Scoped API keys

Per-key RPM and concurrency limits, revocable instantly from the console.

// ai act

Enforcement starts August 2, 2026.

Non-compliance carries fines of up to 7% of global annual revenue. With Helmcode you're aligned by architecture today — no migration, no scramble before the deadline.

read_the_ai_act_guide →

// trust & documentation

The paperwork your team needs.

Everything legal, security and procurement ask for — available on request.

Data Processing Agreement

GDPR-compliant DPA, ready to sign.

Security overview

Architecture, controls and data-flow documentation.

Sub-processor list

Every party in the chain, and where they operate.

Request the documents

// security faq

Security, answered.

What legal, security and compliance teams ask before approving Helmcode.

Do you store my prompts or completions?

No. Inference is processed in memory and discarded — zero logs. We retain only API-key metadata and aggregate request and token counters for billing. No prompt, completion, document or line of code is ever persisted.

Isn't an EU region on AWS or Azure enough for GDPR?

Not on its own. A US-headquartered provider remains subject to the US Cloud Act even when data sits in an EU region — which conflicts with GDPR. Helmcode runs on EU-owned, EU-operated infrastructure that is outside US jurisdiction.

Do you train models on my data?

Never. Nothing you send is used to train or fine-tune any model. Your data is yours; we only run inference on it and return the result.

How does Helmcode help with the EU AI Act?

The architecture already meets the substance of the obligations — EU-only processing, no training on your data, zero logs and a traceable stack — so you are compliant by design well before enforcement begins on August 2, 2026. See the AI Act guide for the detail.

Can I get a DPA and security documentation?

Yes. We provide a GDPR-compliant Data Processing Agreement, a security overview and our sub-processor list on request. Reach out and we will share them.

Where is inference physically processed?

On Helmcode EU infrastructure. On dedicated and on-premise deployments it runs on hardware reserved for you — or inside your own datacenter, air-gappable if required.

// get started

START BURNING TOKENS

Skip the AI infra work. Deploy your first private inference endpoint today.

Flat rate. EU data. OpenAI API compatible.