Agentation
the legal question

AI coding compliance in the EU.

Vibe coding works. Then legal asks where your source code went, what personal data the agent saw, which US company processed it, and whether you can prove any of it. For a European company those are not nice-to-haves — they decide whether you can ship the thing at all. Compliance isn't a checkbox you add at the end; it's the architecture, and most AI coding tools have the wrong one.

Get in line for first access See pricing
the real exposure

The risk isn't the AI. It's where your code and your data go.

When an agent generates a feature, three things leave the building: your proprietary source code, the prompts your team wrote, and — often — the personal data embedded in test fixtures, logs, and schemas. With most tools, all of that flows to a US-hosted model behind a US cloud. Under GDPR that's a third-country transfer; under the US CLOUD Act that data is reachable by a US authority regardless of where the server sits. The model writing your code is rarely the problem. The plumbing around it is.

  • Source code is a trade secret — once it's in someone else's cloud, custody is gone.
  • Personal data in fixtures and logs makes the agent a data processor you never assessed.
  • US ownership of the processor triggers CLOUD Act reach even on EU-located servers.
residency ≠ sovereignty

EU data residency is necessary, not sufficient.

'Our servers are in Frankfurt' is a residency claim, and it matters — GDPR Chapter V restricts transferring personal data to a third country without a lawful mechanism (SCCs, a transfer impact assessment, adequacy). But residency only says where the bytes sit. Sovereignty asks who can compel access to them. A US-owned provider hosting in the EU still falls under US extraterritorial law. So the honest question for any AI coding tool is two-part: is the data in the EU, and is the entity that controls the tooling outside the reach of a foreign subpoena?

  • Residency = where the data lives. Sovereignty = who can legally reach it.
  • Schrems II killed Privacy Shield; SCCs alone don't cure CLOUD Act exposure.
  • A DPA and a named sub-processor list are the minimum paper trail, not the whole answer.
the only way through

The Digital Native Method makes compliance structural, not manual.

You can't audit your way out of an architecture that leaks. The fix is a method: a Product Owner describes intent on the live product, a Tech Lead encodes the rules once — including the compliance rules — and agents deliver inside a structure that verifies everything before production. Deterministic gates run lint, types, tests and a security/secrets scan on every change. Nothing reaches prod un-checked, and every decision is logged. Compliance stops being a quarterly scramble and becomes a property of how software is built.

  • Encode residency, retention and security rules once — agents can't ship outside them.
  • Secrets and security scans gate every change, so no key or PII leaks into a diff.
  • Every spawn, review and merge is logged — an audit trail you can hand to a DPO.
custody by design

Your code never leaves your GitHub. Hosting and data stay in the EU.

Agentation is the software that makes the method real, and it's built custody-first. The orchestration runs on EU infrastructure — hosting in Germany (Hetzner), data in the EU (Supabase) — and the code itself is never copied to us: agents work through your own GitHub, on your existing AI plan. We orchestrate; we don't take possession. That's the difference between 'trust our cloud' and 'keep your code, we coordinate the work around it' — and it's the posture a European auditor actually wants to see.

  • Code stays in your GitHub repos; we never store a copy of your source.
  • Orchestration hosted in Germany, application data in the EU — RGPD by construction.
  • Runs on your own model subscription, so your terms with the model vendor still govern.
cocorico

Sovereign on the tooling, even when the models aren't.

Agentation is a French company, a team of French engineers. We're honest about what sovereignty means in 2026: nobody in Europe is fully sovereign on the frontier models — Claude, GPT and the rest are American. But with just a model you don't do much. The leverage is in the tooling that orchestrates the model, governs it, gates it, and decides where your code and data live. That layer can be European, and it's most of the value. Choosing a French orchestrator on EU infrastructure is how you stay sovereign on the part that's actually yours to control.

  • French company, EU hosting, EU data — a real jurisdictional answer, not a label.
  • You don't have to own the model to own the orchestration, the custody and the audit trail.
  • Sovereignty-on-the-tooling captures most of the value, because models alone do little.
FAQ
Is AI-assisted coding GDPR-compliant?

It can be, but the tool's architecture decides it — not a checkbox. GDPR compliance for AI coding means a Data Processing Agreement, a named sub-processor list, EU data handling, defined retention, and a lawful basis for any personal data the agent touches (think fixtures, logs, schemas). Agentation keeps source code in your own GitHub, runs orchestration on EU infrastructure, and logs every change, so the audit trail exists by construction.

What's the difference between EU data residency and data sovereignty?

Residency is where the data physically lives; sovereignty is which legal regime can compel access to it. A US-owned vendor hosting in Frankfurt gives you EU residency but not sovereignty, because US extraterritorial law (the CLOUD Act) can still reach that data. For a strong posture you want both: EU-located data and a non-US entity controlling the tooling.

Does the US CLOUD Act apply if the servers are in Europe?

Yes. The CLOUD Act lets US authorities compel a US-based provider to produce data it controls regardless of where the servers sit. That's why 'our cloud is in the EU' isn't a complete answer when the provider is American. Agentation is a French company orchestrating on EU infrastructure, and your code stays in your own GitHub — so there's far less for any single processor to be compelled to hand over.

Does Agentation see or store my source code?

No. Agents work through your own GitHub repositories on your existing AI plan; we orchestrate the workflow and never keep a copy of your source. The orchestration data we do hold (project state, tasks, audit logs) lives on EU infrastructure — hosting in Germany, data in the EU.

How do I prove compliance to an auditor or DPO?

Through the structure, not screenshots. The Tech Lead encodes your rules once; deterministic gates (lint, types, tests, secrets/security scan) run before anything reaches production; and every spawn, review and merge is logged. You hand the auditor a real, complete trail of who changed what, what was checked, and where the data lived — instead of reconstructing it after the fact.

Can I be sovereign if the underlying model is American?

Partially, and honestly that's most of what matters. Europe isn't sovereign on the frontier models today — but a bare model does little on its own. The orchestration, governance, gating, custody and hosting around it can be fully European, and that's where the leverage is. Agentation is a French company on EU infrastructure, which is how you stay sovereign on the layer you can actually control.

Ship AI-built software your DPO can sign off.

Get in line for first access