Loading the catalogue…
Loading the catalogue…
Usage-based managed inference from Exoscale (A1 Digital, Austria-owned), deployable in EU and Swiss regions.
Compliance posture
Routed through Stav's upstream relationship with this operator.
Stav's assessment · serving-side
Exoscale Managed Inference is operated by Akenes SA, a Swiss-incorporated entity (CHE-423.524.322, Lausanne) with no US ownership, no CLOUD Act exposure, and inference running exclusively across Exoscale-owned zones in Switzerland and EEA member states — one of the strongest serving-side sovereignty postures available to EU regulated customers. The composite lands at 82 (conditional) primarily because of a medium-severity gap in serving_retention: despite an otherwise rigorous contractual framework, no publicly available, inference-specific statement addresses whether API prompt and output payloads are transiently logged at the serving layer, for how long, or whether any human review occurs. The strongest dimensions are security_posture (93), reflecting an industry-leading multi-framework certification stack with ISO 27001:2022, ISO 27018, SOC 2 Type II, BSI C5:2020 Type 2, and HDS, and serving_residency (88), anchored by Exoscale-owned datacenter zones and Switzerland's EU adequacy decision eliminating SCC chains for CH↔EEA flows. Legal exposure is low but not negligible: the Austrian EEA parent (A1 Digital / A1 Telekom Austria Group) introduces a minor governance-change dependency that procurement teams should monitor. Stav's operational verdict: sovereign serving is available on this provider for standard EU regulated workloads; customers processing sensitive or highly regulated data (health, financial, public sector) should obtain written clarification from Exoscale on inference-layer logging and tenant isolation specifics before production deployment.
Inference runs exclusively in Exoscale-owned zones across Switzerland and EEA member states (DE, AT, BG, HR) with no non-EEA fallback path documented; Switzerland's EU adequacy decision removes any SCC requirement for CH↔EEA flows.
Operator is Swiss-incorporated (Akenes SA), carries no US CLOUD Act or FISA 702 exposure, and operates under Switzerland's lawful-access regime with a customer-notification commitment; the sole residual hook is the Austrian EEA parent (A1 Digital), which is materially lower-risk than any US-parented operator.
The published DPA commits to data deletion within 10 business days of service termination and prohibits independent use of customer data, but no inference-specific statement exists on whether prompt/output payloads are transiently logged at the API serving layer, for how long, or whether human review occurs — a medium-severity gap flagged in the research findings.
Risk assessment
No publicly available, inference-specific statement on whether prompt/output payloads are transiently logged, for how long, and whether any human review of inference request content occurs. The published DPA covers deletion of Company Personal Data within 10 business days of service termination, but does not address real-time inference-layer logging cadence or retention windows for individual API calls. source ↗
SERVING_RETENTIONExoscale is a trademark of Akenes SA (CHE-423.524.322, Lausanne, Switzerland), a wholly-owned subsidiary of A1 Digital International GmbH & Co KG, which is itself part of A1 Telekom Austria Group — a Vienna Stock Exchange-listed Austrian telco. Any material change to the parent group's ownership, compliance posture, or regulatory standing (Austria is EEA, subject to NIS2 and DORA) would flow to Exoscale as an operating subsidiary. source ↗
GOVERNANCESwitzerland's lawful-access regime requires competent Swiss authorities to request data, and Exoscale has stated it would promptly notify customers when legally permitted. Switzerland is not subject to US CLOUD Act or FISA 702 jurisdiction; the operator's security page explicitly addresses this and notes Switzerland's data treaty network (35+ DTAs with Article 26-type provisions). Residual exposure exists via the Austrian parent (A1 Digital) under EEA law, but this is materially lower than a US-incorporated operator. source ↗
Safeguards
Inference runs in Exoscale-owned zones across Switzerland (CH-DK-2, CH-GVA-2), Germany (DE-FRA-1, DE-MUC-1), Austria (AT-VIE-1, AT-VIE-2), Bulgaria (BG-SOF-1), Croatia (HR-ZAG-1), and related EU/Swiss datacenters — all operated within territories not subject to US jurisdiction. Swiss adequacy decision covers CH→EU data transfers without SCCs. source ↗
ISO/IEC 27001:2022 (ISMS), ISO/IEC 27017:2015 (cloud security controls), ISO/IEC 27018:2019 (personal data protection in cloud), SOC 2 Type II, BSI C5:2020 Type 2, HDS (French health data hosting), and TISAX Level 2 (automotive sector) — an exceptionally comprehensive multi-framework stack serving regulated verticals across banking, healthcare, government, and automotive. source ↗
GDPR-compliant DPA is published, self-serviceable in the customer portal (accepted with timestamped PDF), effective from May 5, 2025. Explicitly frames Exoscale as Data Processor and customer as Data Controller. Audit rights granted once per calendar year (or upon breach/regulator instruction). Customer data deleted within 10 business days of service termination. source ↗
Personal Data Breach notification is contractually committed: Exoscale must notify the Company 'without delay' upon a breach affecting Company Personal Data, providing sufficient information for the controller to meet its own GDPR notification obligations. source ↗
Privacy-policy issues
No inference-specific prompt/output retention statement source ↗
Neither the Managed Inference product page, the privacy policy, nor the DPA contains an explicit, inference-layer-specific statement on whether API prompt and output payloads are logged transiently, for how long, and whether they are used for any purpose beyond immediate serving — a gap commonly flagged by enterprise procurement teams for AI APIs.
DPA audit rights capped at once per calendar year source ↗
The DPA limits customer-initiated audits to one per calendar year except in the case of a Personal Data Breach or regulatory instruction — standard practice but a constraint for regulated customers with continuous audit requirements (e.g. DORA Article 30 ICT third-party oversight).
Certifications & legal documents
Exoscale holds an exceptionally comprehensive, sourced certification stack — ISO 27001:2022, ISO 27017, ISO 27018, SOC 2 Type II, BSI C5:2020 Type 2, HDS, and TISAX L2 — all current and backed by independent auditors, with a Secure Control Framework mapped across 32 control domains and no disclosed breach history.
A GDPR-compliant DPA is self-serviceable and timestamped via the customer portal, with clear Data Processor/Controller framing, breach notification obligations, and annual audit rights; no SCCs are required for CH↔EEA transfers due to adequacy, though audit rights are capped at once per calendar year and inference-layer sub-processor enumeration may lag the new product's GA.
Sub-processors are publicly listed in the privacy policy. However, the managed inference service is relatively new and the sub-processor list may not yet enumerate inference-specific tooling (e.g. GPU orchestration, model-serving software vendors) separately from general cloud sub-processors. Customers should verify the inference-layer sub-processor chain is current. source ↗
SUBPROCESSINGManaged Inference is a newer product (token-based, shared GPU capacity) still with pricing 'to be published upon launch' at time of investigation, suggesting the service may not yet have the same operational maturity as the company's core IaaS zones. Customers with mission-critical latency or availability needs should note that dedicated inference is the alternative for predictable workloads. source ↗
RESILIENCEDPA commits to deletion of all Company Personal Data within 10 business days of service cessation date, unless a recovery service is requested. Data Subject rights requests are forwarded to the Controller without independent response by Exoscale. source ↗
Sub-processor list is publicly disclosed at the data-processors anchor of the privacy policy page, satisfying GDPR Art. 28(3)(d) transparency requirements. Customers can review and monitor downstream processing chains. source ↗
A compliance center is accessible via customer portal login, providing direct access to ISO certificates and compliance reports to assist customers in meeting their own regulatory obligations. source ↗
Exoscale operates a Secure Control Framework (SCF)-based internal security referential mapped to 32 control domains, enabling continuous mapping across ISO 27001, BSI C5, SOC 2, and others simultaneously. The compliance page confirms independent audits by world-leading auditors are conducted on a regular basis. source ↗
Swiss legal framework provides institutional protection for customer data: Exoscale states it would comply with lawful authority requests but would 'promptly inform the customer of the situation to the extent legally possible,' providing a meaningful notification safeguard. source ↗
Datacenter partners undergo strict security and quality vetting; each zone's datacenter certifications (ISO 27001, PCI DSS, SOC 1/2, TISAX, EN50600) are publicly listed per zone in the datacenter compliance matrix. source ↗