Security & Compliance

AI on your own server.
Technically isolated.

For law firms, tax advisors and medical practices — GDPR-compliant, §203-compatible, DPA included. Your data lives on a dedicated server in Frankfurt. Not a single byte leaves the EU.

Hetzner Frankfurt AWS Bedrock eu-central-1 §203 StGB compatible DPA Art. 28 GDPR No CLOUD Act

View the DPA ↓ Try free for 14 days

Provider comparison

Not every AI tool is built for regulated industries.

A direct compliance comparison of the common AI platforms — for professions bound by statutory confidentiality, every detail counts.

Criterion	ClapNClaw	ChatGPT Team	Copilot Business
Server location	Frankfurt (DE)	USA	USA / EU
CLOUD Act	✓ No risk	✗ Affected	✗ Affected
§203 StGB	✓ Compatible	✗ Not possible	✗ Not possible
DPA Art. 28	✓ Included	~ On request	~ On request
Dedicated VPS	✓ Your own server	✗ Shared cloud	✗ Shared cloud
Audit logs	✓ Complete	~ Limited	~ Limited
Price / user	from €29	$30	$30

Data flow architecture

Where your data really is

From the browser to the AI model — every step stays in the EU.

Browser

Your team

→

Traefik (TLS)

End-to-end encrypted

→

Your VPS

Hetzner Frankfurt

→

LiteLLM Gateway

Routing & cache

→

AWS Bedrock EU

Frankfurt · eu-central-1

All customer data remains in the EU. No data transfer to US servers. AWS Bedrock eu-central-1 processes requests without storing data — Anthropic gains no access to your data via Bedrock.

Professional confidentiality

§203 StGB — your professional secrecy is safe with us.

§203 StGB protects the professional secrets of lawyers, doctors and tax advisors. ClapNClaw is built so that we technically have no access to your data.

⚖️ Lawyer / law firm

Problem: Client secrets on US servers. ChatGPT processes legal briefs on CLOUD Act servers — a §203 breach looms.

ClapNClaw: A dedicated VPS in Frankfurt. Client files stay on your server. Every file access is controlled.

🏥 Doctor / medical practice

Problem: Patient data is specially protected under Art. 9 GDPR. Common AI tools send diagnoses to US servers — medical confidentiality is breached.

ClapNClaw: Patient data never leaves your server. Zero retention during AI inference. DPIA template included.

📊 Tax advisor

Problem: Tax returns and financial data on third-party servers. The tax-advisory professional secret (§203 (1) no. 3 StGB) is at risk.

ClapNClaw: Financial data stays on your VPS in Frankfurt. Hypervisor isolation — no other tenant has access. DPA from day one.

Data protection documentation

DPA, DPIA & record of processing — all included.

The GDPR requires documentation. ClapNClaw delivers it with the product — prepared and ready to use right away.

DPA under Art. 28 GDPR

Every ClapNClaw contract includes a complete data processing agreement. Subject matter, duration, nature and purpose of processing as well as the TOMs are documented and ready to use right away.

DPIA under Art. 35 GDPR

When processing special categories of personal data, a DPIA may be required. ClapNClaw provides a DPIA template and technical documentation.

Record of processing Art. 30

A complete overview: which data is processed, the legal basis, retention periods, sub-processors and TOMs — ready for your files.

Request the DPA → Ready to use right away. No lawyer required.

ClapNClaw Sandbox

Every action controlled, every access logged.

Your private AI runs in an isolated sandbox and is governed by declarative security policies (policy-as-code).

Security policy (YAML)

# ClapNClaw policy — tenant: kanzlei-mueller
sandbox:
  name: "kanzlei-mueller"
  isolation: hypervisor

network:
  allow:
    - api.clapnclaw.io:443        # LiteLLM Gateway
    - bedrock.eu-central-1.aws:443 # AI inference
  deny: ["*"]                       # everything else blocked

filesystem:
  read:  ["/workspace/documents/**"]
  write: ["/workspace/output/**"]
  deny:  ["/etc/**", "/root/**"]

audit:
  log_level: verbose
  retention: 90d

Policy-as-code
Security policies in YAML — versioned, auditable, reproducible. No manual intervention required.
Complete audit logs
Every file access, every network request, every token used is logged. 90-day retention.
DPO dashboard
Your data protection officer gets access to usage statistics, audit logs and the policy configuration.

Certifications & standards

Audited. Certified. Trustworthy.

ClapNClaw relies on infrastructure with recognized certifications — and delivers the compliance documents right along with it.

Hetzner Frankfurt

ISO 27001 certified data center. Dedicated VPS with hypervisor isolation.

AWS Bedrock EU

ISO 27001, BSI C5 and SOC 2 audited. AI inference in Frankfurt (eu-central-1), zero data retention.

DPA Art. 28

Data processing agreement included in the contract. Ready to use right away.

§203 StGB

Architecture designed for §203-compatible use. Dedicated server, no shared infrastructure.

ISO 27001, BSI C5 and SOC 2 are certifications of our infrastructure providers (Hetzner, AWS). They attest to the security of the underlying data centers and AI infrastructure.

Frequently asked questions

Compliance FAQ for regulated industries

Is ClapNClaw GDPR-compliant? +

ClapNClaw is built for GDPR compliance. All customer data is stored on dedicated servers in the Hetzner data center in Frankfurt (ISO 27001 certified). AI inference runs via AWS Bedrock eu-central-1 without data storage. A data processing agreement (DPA) under Art. 28 GDPR is included in the contract.

Where are the servers located? +

Your dedicated VPS is located at Hetzner in Frankfurt am Main. AI inference runs via AWS Bedrock eu-central-1 (also in Frankfurt). Not a single byte leaves the EU.

Is my data used to train AI models? +

No. AWS Bedrock does not store inputs or outputs and does not use them for model training. Your chat history stays exclusively on your private server in Frankfurt.

What is a DPA and do I get one? +

A data processing agreement (DPA) under Art. 28 GDPR governs how we handle your data as a processor. Yes — every ClapNClaw contract includes a complete DPA.

Is ClapNClaw §203 StGB compatible? +

Yes. ClapNClaw's architecture is designed to create the technical conditions for §203-compliant use: a dedicated VPS with hypervisor isolation and a sandbox with no data access by ClapNClaw. The legal assessment remains the responsibility of the individual professional bound by confidentiality.

Do I need a DPIA? +

A DPIA (data protection impact assessment) under Art. 35 GDPR may be required if you process special categories of personal data (e.g. health data). ClapNClaw provides a DPIA template and technical documentation.

Who has access to my data? +

Only you and your team. ClapNClaw operates dedicated VPS instances with hypervisor isolation — your server is separated from all others. We have no access to your data, chats or documents. AWS Bedrock likewise stores no data.

How does data deletion work? +

Because you own a dedicated VPS, you have full control over data deletion. When the contract ends, the VPS is fully deprovisioned and all data is permanently erased. AWS Bedrock stores no data in the first place.

GDPR-compliant AI in 5 minutes

A dedicated server in Frankfurt. DPA from day one. Not a single byte to the USA.

Start free for 14 days ↗

Setup in 5 minutes · DPA included · Data in Frankfurt · Cancel anytime

Not every AI tool is built for regulated industries.

Where your data really is

Browser

Traefik (TLS)

Your VPS

LiteLLM Gateway

AWS Bedrock EU

§203 StGB — your professional secrecy is safe with us.

⚖️ Lawyer / law firm

🏥 Doctor / medical practice

📊 Tax advisor

DPA, DPIA & record of processing — all included.

DPA under Art. 28 GDPR

DPIA under Art. 35 GDPR

Record of processing Art. 30

Every action controlled, every access logged.

Policy-as-code

Complete audit logs

DPO dashboard

Audited. Certified. Trustworthy.

Hetzner Frankfurt

AWS Bedrock EU

DPA Art. 28

§203 StGB

Compliance FAQ for regulated industries

GDPR-compliant AI in 5 minutes