Digital Sovereignty & EU Procurement
AIonicOS is a single-tenant AI platform operated exclusively in the EU — aligned with BSI C5, the BSI C3A criteria and the EU Data Act. Built for public-sector buyers, regulated industries and sovereignty-conscious Mittelstand whose procurement now scores sovereignty as a weighted gate.
Sovereignty is becoming measurable. The BSI C3A criteria (Criteria enabling Cloud Computing Autonomy), published in April 2026, let buyers assess cloud sovereignty objectively across six domains — from strategic and legal to technological autonomy. C3A is a voluntary BSI assessment framework, not a certificate, and it builds on the established, audited BSI C5 baseline and the EU Cloud Sovereignty Framework. Procurement teams are increasingly translating exactly these domains into weighted award criteria.
The rulebook is already live. The EU Data Act has applied since 12 September 2025 — including the Chapter VI switching and portability rights: a maximum two-month notice period, an obligation to remove switching obstacles, and a ban on switching charges from January 2027. Under the EU AI Act, GPAI, governance and transparency obligations have applied since 2 August 2025. Vendor lock-in is therefore no longer a commercial footnote but a regulatory risk that surfaces during qualification.
The core risk now has a name. The BSI lists 'Cyber Dominance' as a distinct threat category: the ability of market-dominant providers to retain permanent access to customers' systems and data. Add the third-country access exposure: the US CLOUD Act follows control over the provider, not the storage location — an EU data centre alone does not cure it. The EDPB and EDPS hold that providers subject to EU law cannot lawfully satisfy such disclosure requests. Sovereignty is decided by architecture, not by the map.
Each row mirrors a domain that procurement officers and CISOs assess. On the left the procurement requirement, on the right the concrete AIonicOS mechanism — verifiable, not asserted.
The full stack runs per customer on a dedicated EU host — its own Postgres, its own vector and cache layers, its own object store. There is no shared data plane for a third country to subpoena or an operator to silently override.
Violations fail at preflight (HTTP 409, before any spend) and at runtime. `?preflight=skip` technically cannot bypass residency FATALs, and every skip attempt is audited. The fully-EU model path (Mistral FR + Ollama) removes any US CLOUD Act nexus for inference — provable by audit log.
Every LLM call produces a cost row in EUR, every governance event a structured row in `notification_log`, every workflow a full Temporal event replay. That delivers the end-to-end, SQL-queryable evidence trail that record-keeping duties and GDPR accountability demand.
Initiatives such as ZenDiS with its open-source suite openDesk, the German public-sector cloud strategy and Gaia-X are driving the market. It is also reported that a German Telekom/SAP consortium was first-ranked for a sovereign federal AI platform (Deutschland-Stack, reportedly around €250M). AIonicOS is aligned with exactly this sovereignty trajectory — as a platform you control yourself.
AIonicOS runs exclusively in certified data centres within the European Union. Your tenant operates on dedicated resources (single-tenant), and data never leaves the agreed EU legal jurisdiction – including for backups or telemetry.
No. In single-tenant mode, model inference and data pipelines are fully tenant-isolated. startvisor.AI operations staff receive only time-limited, logged break-glass access for incident response – never routinely and never for AI training.
AIonicOS exports all workflow definitions, model artefacts, and operational data in open standard formats (YAML, JSON, OCI images). A documented exit plan with defined data-portability SLAs is part of every enterprise contract, addressing the EU Data Act's switching and portability rights requirements.
AIonicOS is designed to align with EU AI Act requirements: embedded human-in-the-loop design, immutable audit logs, explainability modules, and risk-classification workflows. We do not certify conformity for your specific application – that responsibility lies with you as the deployer – but we provide the technical prerequisites for structured compliance documentation.
Our operational infrastructure uses ISO-27001-certified data centres. AIonicOS itself is on a path toward its own certification; current evidence includes penetration test reports, GDPR processing records, data processing agreement templates, and technical security documentation. For formal procurement procedures we provide a complete qualification evidence package on request.
In 30 minutes we walk through your procurement and sovereignty criteria — data residency, third-country exposure, the EU Data Act exit path and the evidence your qualification process demands. You leave with a clear mechanism map, not slides.
AIonicOS is compliance-enabling and aligned with recognised frameworks (including BSI C5, the BSI C3A criteria, the EU Cloud Sovereignty Framework, the EU Data Act and the EU AI Act) — this is neither a certification nor legal advice. The BSI C3A criteria are a voluntary assessment framework, not a certificate; AIonicOS is not represented as 'C3A certified'. Regulatory classification of your specific application remains with you as the controller; startvisor.AI acts as an Art. 28 GDPR processor and is not a law firm. Any cost figures are estimates.
