public_documentation-privacy__europe_first

Ask Eve AI is a European AI platform operated by Belgian company Flow IT BV, designed with privacy by default, where all data storage, processing, and AI operations occur exclusively within EU jurisdiction under Belgian law. The platform ensures architectural data isolation, no transatlantic transfers, and compliance with GDPR through European infrastructure partners like Scaleway, Bunny.net, and Mistral AI.

Ask Eve AI is a European AI platform operated by Belgian company Flow IT BV, designed with privacy by default, where all data storage, processing, and AI operations occur exclusively within EU jurisdiction under Belgian law. The platform ensures architectural data isolation, no transatlantic transfers, and compliance with GDPR through European infrastructure partners like Scaleway, Bunny.net, and Mistral AI.

European Infrastructure and Jurisdiction

The platform runs entirely on EU-based infrastructure, avoiding exposure to US surveillance laws like the CLOUD Act or FISA Section 702. Core providers include Scaleway (French cloud/Kubernetes, ISO 27001 and HDS certified), Bunny.net (EU CDN and security, ISO 27001/SOC 2 compliant), and Mistral AI (French AI models, SOC 2/ISO 27001/27701 certified). All tenant data remains physically within the EU, with no cross-border transfers.

Architectural Data Isolation

Ask Eve AI employs multi-tenant isolation at the database level: each organisation’s Data Constellation (Data Capsules, documents, and conversation history) is stored in a dedicated schema and object storage. This separation is structural—not just permission-based—preventing data leakage even in the event of software errors.

Privacy by Design Principles

The platform adheres to GDPR’s Privacy by Design framework through data minimisation (collecting only essential data), default anonymity (no personal data unless explicitly provided), and end-to-end encryption (in transit and at rest). Critically, tenant data is never used to train AI models without explicit consent, ensuring organisational knowledge remains private.

Clear GDPR Roles and Incident Response

Ask Eve AI operates as a Data Processor under GDPR, with tenants retaining full Data Controller authority over their data. A mandatory Data Processing Agreement (DPA) formalises responsibilities, breach protocols (72-hour notification), and data handling procedures. Oversight falls under the Belgian Data Protection Authority, ensuring disputes are resolved under EU law.

Transparency and Control

The platform’s design reflects a commitment to jurisdictional clarity: Belgian law governs all operations, eliminating risks of non-EU legal overrides. Tenants maintain control over data purposes, access, and retention, with no hidden third-party sharing or surveillance exposure. This approach aligns with European values of data sovereignty and user trust.