Data residency & GDPR
Everything a sandbox is made of - its compute, its files, its snapshots, its volumes - lives in the European Union, on infrastructure operated by EU companies. This is not a region you request or a paid add-on; it is the only way the product runs. This page is written to be forwarded to your DPO.
Who operates the service
orkestr is operated by WhiteCloud Project S.R.L., a company registered in Romania (EU). For personal data your workloads process, you are the controller and we act as processor - see the privacy policy and data processing addendum. A signed GDPR DPA is available on request.
Where sandboxes run
Sandboxes are placed in one of our EU regions - you can pin one with the region parameter at create time, or let the control plane pick. The authoritative, current list is returned as regions by GET /v1/sandboxes/limits; the sandbox fleet today runs in three regions across three countries and two providers:
| Region id | Location | Data-center operator |
|---|---|---|
| fsn1 | Falkenstein, Germany | Hetzner Online GmbH |
| hel1 | Helsinki, Finland | Hetzner Online GmbH |
| rbx | Roubaix, France | OVH SAS |
Where each kind of data lives
- Running sandbox (memory, workspace) - in the VM's RAM on the host in your region. Destroyed on terminate.
- Pause snapshots - on the host's local storage in the same region, reclaimed after the tier's retention window.
- Persistent volumes - a disk on the sandbox host in the volume's region, with durable checkpoints in EU object storage operated by Hetzner. A volume never changes region unless you explicitly move it.
- Custom template images - stored in EU object storage and cached on EU hosts.
- Logs, metrics, and audit events - processed and stored on our EU infrastructure.
The data path
API traffic terminates TLS at our CDN (BunnyWay d.o.o., an EU company) and is served by our EU backend. There is no US hyperscaler in the data path: no data of yours is stored with a provider subject to the US CLOUD Act. The full list of vendors that touch any customer data - all EU entities - is maintained on the subprocessors page.
off; in restricted mode, code can reach only the allowlisted hosts you accept - so whether workload data leaves the EU (for example, by calling a US-hosted model API from inside a sandbox) is under your control, not a side effect of the platform.Deletion
Terminating a sandbox destroys its VM, memory, and workspace immediately; its pause snapshot, if any, is deleted with it. Deleting a volume or template removes the data and its object-storage copies. Account deletion runs a full GDPR erasure pipeline across compute, storage, and backups - described in the privacy policy.
Questions
Compliance questionnaires, DPA requests, or anything your legal team needs: contact us - privacy inquiries route to the operator directly.