Hosting, Infrastructure & Subprocessors
Our Germany-First Approach
We are committed to hosting all data and services in Germany. We actively work toward this goal and continuously migrate workloads to German data centers.
However, we are transparent: not every service can be hosted in Germany today. Some components rely on EU-based providers whose infrastructure is located in other EU countries such as Ireland or the Netherlands. We are actively working to change this wherever possible.
What we guarantee:
- All data is processed and stored exclusively within the European Union
- No data ever leaves the EU — under any circumstances
- Where possible, we choose Germany as the primary hosting location
- We never use providers outside the EU, regardless of contractual safeguards
For organizations with the highest data sovereignty requirements, we offer additional flexibility:
- On-premises data storage: Sally AI can store data in the customer's own database (MS SQL) on-premises — so your data never leaves your own infrastructure
- Customer-provided LLMs: If your organization operates its own language models, Sally AI can be configured to use them exclusively instead of Azure OpenAI — ensuring that no data is sent to external AI services
Where Your Data Lives
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure | EU — Germany/Netherlands |
| Microsoft Dynamics 365 | CRM | EU — Germany (Frankfurt) |
| Amazon Web Services (AWS) | Audio/video distribution (CDN) | EU — Germany/Ireland |
| DeepL | Translation | EU — Germany |
| Stripe | Payments | EU — Ireland |
| Strato | Web hosting | EU — Germany |
| Azure OpenAI | AI services via Azure | EU — Sweden |
The continuously updated full subprocessor list is maintained in Annex 3 of the DPA.
Azure OpenAI – AI Processing Within the EU
For our AI-powered features such as transcription analysis and meeting summaries, we use Microsoft Azure OpenAI Service. A key advantage of Azure OpenAI is that the customer can choose the hosting region — unlike many other AI providers where the data center location is not transparent or configurable.
We have deliberately chosen an EU-based region for our Azure OpenAI deployment to ensure full GDPR compliance. This means:
- All AI processing happens within the European Union
- Your meeting data, transcripts, and prompts are never sent to servers outside the EU
- All personal data is masked before it reaches the LLM — the AI only processes anonymized content, never identifiable information
- Microsoft guarantees that data submitted to Azure OpenAI is not used to train or improve OpenAI models
- The service operates under Microsoft's EU Data Boundary commitment
This deliberate choice of an EU hosting region is a central part of our data protection strategy — ensuring that even advanced AI features comply with the highest European privacy standards.
Contractual Safeguards
- Data Processing Agreements (DPAs) are in place with all subprocessors — their obligations mirror the main DPA
- Standard Contractual Clauses (SCCs) are not required because no data leaves the EU
- Any future exception would require explicit customer agreement and full compliance with GDPR Articles 44–49
Transparency & Your Review Rights
- Advance notice and right to object to any subprocessor changes
- Audit and inspection rights — including access to certifications and third-party audit reports
- Full transparency about where your data is processed at all times