where the work runsCompute in Germany, data in the EU, by default — not on request.
Agentation's orchestration runs on Hetzner in Germany, and persistent state lives in Supabase's EU region. There is no US fallback, no 'enterprise tier unlocks EU hosting' upsell, no quiet routing through a North American availability zone when load spikes. Data residency isn't a checkbox you negotiate for — it's where the product physically is. That distinction matters under GDPR, because residency you have to ask for is residency you have to keep proving.
- Orchestration compute: Hetzner, Germany — inside the EU, not edge-cached out of it.
- Persistent data: Supabase EU region — accounts, projects, task state.
- No US fallback path: nothing silently fails over across the Atlantic under load.
the custody questionYour code stays in your GitHub. We never hold a copy.
The hardest part of 'GDPR-compliant AI development' isn't the marketing — it's custody. Most agentic tools clone your repository onto their servers to work on it, which makes them a processor of whatever lives in that code: secrets, customer data in fixtures, regulated logic. Agentation inverts it. Agents operate against your own GitHub, on your own AI subscription, through worktrees and pull requests in your account. The source of truth never relocates to us. We orchestrate the work; we don't warehouse the asset.
- Agents commit through your GitHub org, not a mirror on our infrastructure.
- Runs on your existing AI plan — your model provider relationship, your terms.
- We can't leak a copy of your codebase because we don't keep one.
lawful basis, not vibesGDPR is about who controls the data — agents change that math.
GDPR doesn't care that an AI wrote the code; it cares who acts as controller and processor, where personal data flows, and whether a transfer outside the EEA has a lawful basis. A US AI build platform usually makes you the controller of an undocumented export — your prompts may carry personal data, your repo may carry it in plain sight, and the chain of sub-processors is opaque. Keeping the compute, the storage, and the code custody inside the EU collapses the transfer problem at the source, instead of papering over it with Standard Contractual Clauses after the fact.
- No Chapter V transfer to defend when the data never leaves the EEA.
- A short, legible sub-processor chain instead of an opaque US stack.
- Article 28 processor obligations are easier to honour when residency is the default.
the gate that proves itThe Tech Lead encodes your compliance rules into every agent.
Residency answers 'where', but GDPR-grade development also needs 'how': no secrets in commits, no personal data hard-coded into fixtures, no regulated logic shipped unreviewed. That's the Tech Lead's job. You encode your standards once — security policy, data-handling rules, your sector's constraints — and every agent boots inside them. Deterministic gates run before anything reaches production: a secrets scan, lint, types, tests, a security pass. So compliance stops being a quarterly audit you dread and becomes a structural property of the pipeline: green, or it doesn't land.
- Secrets scan blocks credentials and tokens before a push, not after a breach.
- Data-handling rules encoded once apply to every future agent automatically.
- Every change ships through your GitHub PR flow — a real, auditable trail.
who this is forBuilt for teams who can't hand-wave the data-protection question.
If you sell to European enterprises, work in a regulated sector — health, public sector, finance — or simply take your users' privacy seriously, 'the AI tool we use ships everything to a US cloud' is not an answer you can give a DPO, a procurement team, or a regulator. Agentation lets a product owner annotate the live product and ship real features with AI, while the data-protection story stays clean: EU in, EU out, code in your custody, an auditable trail behind every change.
- Sell into the EU without a transatlantic data-export footnote in every deal.
- Give your DPO a short answer: EU compute, EU data, code in our own GitHub.
- Move at AI speed without trading away the compliance posture you've earned.
FAQDoes my code or my users' data ever leave the EU?
The orchestration runs on Hetzner in Germany and persistent state lives in Supabase's EU region, with no US fallback path. Your code itself stays in your own GitHub the entire time — agents work against your repository on your own AI subscription, so the source of truth never relocates onto our infrastructure at all.
Isn't using any AI model already a transfer outside the EEA?
That depends on your model provider, and it's a relationship you keep control of: Agentation runs on your existing AI plan rather than reselling a model behind ours. You choose the provider and the terms — including EU-region inference where they offer it — and Agentation orchestrates around that choice instead of forcing prompts through a stack you can't see.
How is this different from a US tool that 'offers EU hosting'?
Residency you have to request, on a higher tier or via a support ticket, is residency you have to keep proving — and one that can silently fail over across the Atlantic under load. Agentation is EU-by-default: there is no US region to fall back to and no copy of your codebase on our servers, so the compliance answer doesn't change with your plan or your traffic.
Does Agentation make us GDPR-compliant on its own?
No tool can — compliance is about your whole processing, not one vendor. What Agentation removes is the hardest part: the undocumented transfer and the loss of code custody that most AI build tools introduce. It also lets your Tech Lead encode data-handling rules and a secrets scan into every agent, so the development pipeline stops working against your DPO and starts producing an auditable trail.
Who is the controller and who is the processor here?
You remain the controller of your code and your users' data — it lives in your GitHub and your EU data store, under your terms with your AI provider. Agentation acts as a processor for the orchestration state it holds in the EU, with a deliberately short sub-processor chain, so the Article 28 picture stays legible instead of fanning out into an opaque US stack.