Ethical Tech

Building an EU-Residency AI Stack for a Small Consultancy

The companion to the AI Act guide: where do you actually send your client data if you would rather not send it through US infrastructure? A practical look at the EU and Swiss AI tools a small consultancy can run in 2026, with the trade-offs visible.

15 May 2026 · 12 min read · By Sophie Kazandjian

Building an EU-Residency AI Stack for a Small Consultancy

The companion to my AI Act guide. Where do you actually send your client data if you would rather not send it through US infrastructure?

There is a question the EU AI Act has put in front of small businesses that most of us were not asking last year. Whether to use AI is largely settled, and quietly enforced by the fact that competitors and clients now assume you are. What is less settled is where your AI sends your client data, who has legal access to it, and whether the answer would withstand a polite query from a client who reads their GDPR.

For a long time, the practical answer was "US tools, mostly, and we will worry about the legal layer if it ever comes up." That answer is wearing thin. The US CLOUD Act gives American authorities a route to data held by US-headquartered companies regardless of where the servers physically sit. The AI Act adds vendor due diligence as an explicit deployer obligation from August 2026. And the gap between US and European AI tools, which used to be the reason everyone defaulted to American products, has narrowed enough that several categories now have credible European alternatives.

This is a guide to the AI stack I run for a small consultancy from southern France. EU residency for most of the work, with a documented exception for the hardest analytical tasks. It is not the puritan version. It is the version that compiles, ships, and would not embarrass me in a procurement conversation.

What "EU residency" actually means

EU residency turns out to be three different questions, and people run them together.

The first is where your data is processed. This is the part most documentation talks about. If you put a client's notes into a tool, those notes are sent to a server somewhere, used to generate a response, and held in logs for some period. EU residency in this narrow sense means the processing happens on servers physically located in the European Union, which in practice means running on European cloud infrastructure like Scaleway, OVHcloud, or Hetzner rather than AWS or Google Cloud.

The second is the legal jurisdiction of the company providing the tool. Servers in the EU do not protect you from US law if the company running them is US-headquartered. The CLOUD Act allows American authorities to require data from US companies regardless of server location. EU residency includes the question of who owns the company.

The third is the model provenance. A French company running a model trained on US infrastructure has a different exposure profile to a French company running a model it has trained itself. For most practical purposes, the corporate jurisdiction and the data processing location are what determine your compliance picture. Model provenance is a sovereignty question more than a legal one, though it does feed into the broader conversation about European technological independence.

For a small practice, three questions cover it. Where are the servers? Who owns the company that runs them? What does the privacy policy say about retention and training on your input?

The stack, organised by what you are doing

Layered illustration of an EU AI stack shown as architectural platforms within a Mediterranean interior, framed by twelve stars
The stack viewed as a built structure: a small set of specialised tools, deliberately layered.

I do not run one tool. I run a small set, each chosen for a specific job. The same logic I described in my 2026 AI stack: look for tools that do one thing well, not for all-in-one solutions.

For everyday research and writing: Mistral Le Chat

Mistral is French-headquartered, runs on EU infrastructure, and complies with GDPR by default rather than by configuration. Le Chat has a Deep Research mode that produces proper citation work, comparable in quality to what Perplexity offered before its ownership and ethics became unignorable. For drafting articles, summarising documents, working through arguments, and most of the daily volume of small-business AI use, this is now my first call.

The model is good. A year ago this paragraph would have been a longer apology for the capability gap. The gap has closed enough that the conversation is now about workflow preference rather than capability.

For privacy-first conversation without an account: Proton Lumo

Proton's AI assistant, launched in 2025, is Swiss-based and inherits Proton's wider privacy architecture. End-to-end encryption, zero conversation logs by default, no training on user input. For the kind of work you would not want to put into a US tool and would also rather not link to a long-running account history, Lumo is the cleanest option I have found. It is not the strongest model on the market, but the privacy posture is. Use it when the question is sensitive and the answer does not need to be brilliant, just sound.

Switzerland is not in the EU, but it has an adequacy decision from the European Commission for data transfers, and its data protection law was aligned with GDPR in 2023. For most small-business compliance purposes, a Swiss-headquartered tool sits inside the same regulatory picture as an EU one.

For environmental priorities: GreenPT

GreenPT runs smaller, open-source models on renewable-energy infrastructure. The accuracy is lower than the frontier tools, which the team is open about. I use it for low-stakes drafting where I want the energy footprint to be small and the result will be reviewed anyway. It is also the only AI I have used where the environmental positioning is honest rather than marketing-led. I keep it in the stack because I want the approach to succeed, and the models will improve as the underlying open-source work matures.

For an alternative EU assistant: CamoCopy

CamoCopy is a German-based privacy-first AI assistant that runs open-source models (LLaMA, DeepSeek, Mistral) on EU infrastructure. Chats and files are encrypted, data is anonymised by default, and the company explicitly does not train models on your input. Functionally it sits in the same space as Mistral Le Chat: an EU-resident ChatGPT alternative with built-in search. The model choice and feature set are different enough that it is worth trying both and picking the one whose register suits your work.

For developer-level routing across many models: EUrouter

EUrouter is a Netherlands-based API gateway that gives you access to over 100 AI models, including Claude, GPT-5, Mistral, LLaMA, and DeepSeek, through a single endpoint with guaranteed EU-only data routing and zero retention. Useful if you build things on top of AI rather than only chat with it. The pitch is the same as OpenRouter, but with the data plane kept inside the EU. For most small consultancies this lives in the "useful to know exists" category rather than daily use, but if you write code or build internal tools, it removes the data residency question from the technical decision.

For in-browser AI: Brave Leo, with Claude in Chrome inside Brave

Brave Leo is US-jurisdiction but has zero data retention by design. The privacy architecture is strong, and the integration with the Brave browser means it runs inside an already privacy-hardened browsing context. For most in-browser tasks, summarising a page, asking a question about an article, drafting a quick reply, Leo is enough and the trade-off is acceptable. I have written more about the browser side of this in my piece on privacy-first browsing for business.

For agentic tasks (clicking, navigating, filling forms across pages) Claude in Chrome is currently the only thing that works reliably, and it runs inside Brave with the same browser-level protections. The US exposure for Claude here is real and worth documenting in your AI inventory, but for occasional use within a Brave session it is a defensible compromise.

For the hardest analytical work: Claude, the documented US exception

Multi-step reasoning across long documents, structured-data analysis, and writing that needs to hold a precise voice across thousands of words are still meaningfully better on Claude than on any EU-residency tool I have tested. I use Claude with no identifiable client data, with the zero-retention workspace setting on, and with a documented justification in my AI inventory under Article 13 of the AI Act. If a regulator or client asks why a US tool sits in an otherwise EU-residency stack, I can answer in one sentence and point to the inventory.

The fuller context for that decision is set out in Why I cancelled ChatGPT. The short version: Anthropic has held a public ethical line that OpenAI conspicuously has not, including refusing demands that would have compromised model behaviour for political purposes. That history is not a guarantee of future conduct, but it is the strongest one currently on offer from a frontier AI provider. I treat the Claude exception as conditional rather than permanent, and I review it.

What the pure EU/Swiss version would look like

If you wanted no US tools in your AI stack at all, here is what that looks like in practice in 2026.

Mistral Le Chat for research, drafting, and most analytical work. Proton Lumo for privacy-sensitive conversation. CamoCopy as a second EU-hosted option when you want a different model under the hood or a different feature set. GreenPT for low-stakes drafting where you want the smallest possible environmental footprint. EUrouter for any code or internal tools you build that need AI access. For in-browser AI, a self-hosted assistant running on local hardware, or one of the early European browser-AI projects rather than Brave Leo.

What you give up is real. Long-context analysis becomes noticeably harder. Mistral's context window is improving but still trails Claude on the most demanding documents. Agentic browser tasks become impractical; the EU options are early and brittle. Image generation has no strong EU answer at this point, so you would either commission human work or accept a US exception there as well. Multi-step coding work is still better on Claude or on certain specialised US tools.

The pure version is a viable choice for a one-person practice that does not lean heavily on any of those harder categories. For consultancies whose work depends on them, the mixed stack with documented exceptions is the more sustainable answer.

Where the EU gaps still are

Three places where the European options have not yet caught up.

Image generation remains weak. The leading tools are American (Midjourney, OpenAI, Google Gemini) or Chinese, with separate sovereignty concerns. Mistral has image work in development and several smaller European efforts exist, but the gap is significant. For client-facing illustration I use Leonardo selectively, with a documented exception, and otherwise commission human illustrators when the work warrants it.

Long-context analytical work is still better on Claude. By that I mean feeding the model a hundred-page report and asking for a structured analysis that holds detail across the whole document. Mistral can do shorter versions of this well, but on the most demanding work the gap remains.

Agentic browser tasks (booking, navigating, filling forms across pages) are functionally a Claude-in-Chrome capability at the moment. The European alternatives are early and not ready for daily reliance.

Being clear about where the gaps are is part of the work. A stack that pretends every problem is solved sets people up for the wrong kind of surprise.

How to start migrating

If your current setup is "ChatGPT, paid", the migration is structurally similar to what I described in Why I cancelled ChatGPT. Export your project context, ask the model to summarise everything it knows about how you work, then recreate the equivalent in Mistral Le Chat or Claude with that summary as the starting point.

If your setup is more scattered, start with the highest-volume use case. For most small consultancies that is drafting and summarising. Move that work to Mistral Le Chat. Use it for two weeks. The model will not feel the same; it has its own register and you will need to adapt your prompts. Stick with it through the discomfort. After two weeks the question of whether you can do your work on EU-residency tools becomes practical rather than theoretical.

Once drafting is settled, take the next category. Research with citations: also Mistral, in Deep Research mode. Sensitive conversation: Proton Lumo. In-browser work: install Brave and use Leo. Each migration is small. The cumulative effect is a stack that answers the vendor due diligence question cleanly.

Document what you are doing as you go. Not in a fifty-page policy. A simple one-page note that lists each AI tool, where its data is processed, what corporate jurisdiction applies, and what you use it for. That single page is most of what the AI Act expects of you under the deployer obligations, and it converts the migration from a vague intention into something you can show.

The wider compliance picture

Six tone-coloured cards arranged on a stone shelf in a Mediterranean interior, with twelve gold stars above representing EU sovereignty
Six tools, each chosen for a purpose, presented under the European framework.

The AI Act, GDPR Article 28 on processor agreements, and the Cyber Essentials scheme all push in the same direction. They want you to know where your data is, who has legal access to it, and what you would do if something went wrong. A stack built around EU-residency tools answers those questions more cleanly than a stack built around US tools.

This is not really about American versus European companies being better people. Plenty of US AI companies behave well, and plenty of European ones will eventually behave badly. The structural point is about law. EU law treats data as something that belongs to the person it describes. US law treats data as something that belongs, in significant part, to the company that stores it, subject to government access. Those are different starting points, and the tools that grow from each tend to inherit those assumptions.

Choosing an EU-residency stack is a way of aligning your tooling with the legal framework you already operate under. It does not solve every AI Act obligation. The deployer responsibilities are about how you use AI, not only which AI you use. What it does do is remove a category of vendor due diligence problem that becomes much harder to defend after August 2026.

For a small consultancy, the work compounds. The same one-page AI tool inventory that satisfies the AI Act also feeds the Article 28 processor mapping under GDPR, which in turn becomes part of the documentation you produce for a Cyber Essentials assessment. Build it once, use it three times.

Where this leaves the question of US tools

Claude is still in my stack. It is the documented exception now, not the unexamined default. That feels closer to honest, and it would withstand a procurement question without rehearsal.

For a year I assumed the European tools would always trail the US tools by enough that it was not worth the effort. That assumption no longer survives contact with current versions of Mistral, Proton Lumo, and the broader open-source work they sit on. The version of this article I would have written eighteen months ago would have been a longer apology. What I am writing now is closer to a recommendation.

This work is exactly the kind of operational realignment I do with clients as part of digital operations readiness. If you would like a calm second pair of hands on it, that is what the practice is for.

FAQs

Is using a US AI tool a breach of the EU AI Act?

No. The Act regulates how AI is used, not where the provider is based. What you do need to consider is the AI Act's vendor due diligence and transparency obligations as they apply to your use case, separately from the GDPR data residency questions which apply regardless of which AI you use. The point of an EU-residency stack is to make those obligations easier to satisfy, not because the rules forbid US tools.

What is the difference between Mistral Le Chat and Claude?

Mistral Le Chat is French-headquartered, EU-resident, GDPR-compliant by default, and has a strong Deep Research mode for citation-led work. Claude is US-headquartered, more capable on the most demanding multi-step reasoning and long-context analysis, and has an ethics record that is currently the strongest among frontier US AI companies. For most small-business work, Mistral is enough. On the hardest analytical work, Claude still has an edge, which I treat as a documented exception in my own stack.

Is Brave Leo really safe to use given Brave is US-based?

Brave is US-headquartered, so the CLOUD Act exposure exists in principle. In practice, Brave Leo has zero conversation logging by default, which means there is very little data for any authority to access. That is a different posture from a tool that holds your conversations for thirty days or trains on your input. For most in-browser tasks the trade-off is acceptable; for highly sensitive work, Proton Lumo is the cleaner choice.

I run a UK business. Does any of this still apply to me?

Yes. The EU AI Act has extraterritorial reach in the same way GDPR does, so UK consultancies serving European clients are in scope. The data residency questions are addressed by the UK GDPR, which mirrors the EU framework. For practical purposes, the same stack works, and an EU-residency tool is treated as a low-friction transfer under the UK adequacy framework.

Do I have to migrate everything at once?

No. The most sustainable approach is to migrate one use case at a time, starting with the highest-volume work. Drafting and summarising first, then research, then sensitive conversation, then in-browser tasks. Each migration is small. The compound effect across a few months is a stack that answers the compliance questions cleanly.

What about ChatGPT? Can I keep using it on a separate workspace?

You can, and the AI Act will not prevent you. The bigger question is whether you want to. I cancelled ChatGPT for reasons set out in Why I cancelled ChatGPT. If you do keep it, run it on a paid workspace with the training-opt-out and zero-retention settings on, treat it as a documented US exception in your AI inventory, and review the decision regularly.

Where do I document my AI choices?

A one-page note is usually enough for a small consultancy. List each AI tool, the country it is based in, the corporate jurisdiction, where data is processed, whether it trains on your input, and what you use it for. Update it when something changes. That note satisfies most of the AI Act deployer documentation requirements, feeds straight into a GDPR Article 28 processor mapping, and forms part of a Cyber Essentials submission. I have a template version that pairs with the AI use policy from my AI Act guide.

Back to the Journal