# Data residency & GDPR Everything a sandbox is made of - its compute, its files, its snapshots, its volumes - lives in the European Union, on infrastructure operated by EU companies. This is not a region you request or a paid add-on; it is the only way the product runs. This page is written to be forwarded to your DPO. ## Who operates the service orkestr is operated by **WhiteCloud Project S.R.L.**, a company registered in Romania (EU). For personal data your workloads process, you are the controller and we act as processor - see the [privacy policy](https://orkestr.eu/privacy) and [data processing addendum](https://orkestr.eu/dpa). A signed GDPR DPA is available on request. ## Where sandboxes run Sandboxes are placed in one of our EU regions - you can pin one with the `region` parameter at create time, or let the control plane pick. The authoritative, current list is returned as `regions` by `GET /v1/sandboxes/limits`; the sandbox fleet today runs in three regions across three countries and two providers: | Region id | Location | Data-center operator | | --- | --- | --- | | fsn1 | Falkenstein, Germany | Hetzner Online GmbH | | hel1 | Helsinki, Finland | Hetzner Online GmbH | | rbx | Roubaix, France | OVH SAS | ## Where each kind of data lives - **Running sandbox (memory, workspace)** - in the VM's RAM on the host in your region. Destroyed on terminate. - **Pause snapshots** - on the host's local storage in the same region, reclaimed after the tier's retention window. - **Persistent volumes** - a disk on the sandbox host in the volume's region, with durable checkpoints in EU object storage operated by Hetzner. A volume never changes region unless you explicitly move it. - **Custom template images** - stored in EU object storage and cached on EU hosts. - **Logs, metrics, and audit events** - processed and stored on our EU infrastructure. ## The data path API traffic terminates TLS at our CDN (BunnyWay d.o.o., an EU company) and is served by our EU backend. There is no US hyperscaler in the data path: no data of yours is stored with a provider subject to the US CLOUD Act. The full list of vendors that touch any customer data - all EU entities - is maintained on the [subprocessors page](https://orkestr.eu/subprocessors). > **Egress is your choice** > > A sandbox itself makes no outbound connections unless you enable them. The default network mode is `off`; in `restricted` mode, code can reach only the allowlisted hosts you accept - so whether workload data leaves the EU (for example, by calling a US-hosted model API from inside a sandbox) is under your control, not a side effect of the platform. ## Deletion Terminating a sandbox destroys its VM, memory, and workspace immediately; its pause snapshot, if any, is deleted with it. Deleting a volume or template removes the data and its object-storage copies. Account deletion runs a full GDPR erasure pipeline across compute, storage, and backups - described in the [privacy policy](https://orkestr.eu/privacy). ## Questions Compliance questionnaires, DPA requests, or anything your legal team needs: [contact us](https://orkestr.eu/contact) - privacy inquiries route to the operator directly.