Loading the catalogue…
Loading the catalogue…
French serverless inference for 40+ open models, OpenAI- and HuggingFace-API compatible. Hosted in OVHcloud's Gravelines datacentre; ANSSI Cloud de Confiance-aligned.
Compliance posture
Routed through Stav's upstream relationship with this operator.
Stav's assessment · serving-side
OVHcloud AI Endpoints is operated by OVH Groupe SA, a French-incorporated entity with no US parent, running inference on its own hardware in European data centres (Gravelines, France primary; also Germany and Italy), with no dependence on a US hyperscaler—placing it among the strongest sovereignty profiles available for EU regulated buyers. The composite lands at conditional (84) rather than trusted because two residual gaps constrain the ceiling: the US-headquartered SambaNova hardware partner's data-processing role in the inference path lacks a public Article 28 sub-processor register entry with transfer-mechanism details, and SecNumCloud 3.2 qualification—though held for OVHcloud's Hosted Private Cloud and Bare Metal Pod tiers—has not been confirmed for the Public Cloud layer underpinning AI Endpoints as of the research date. The strongest dimensions are serving retention (88), anchored by an explicit public zero-retention and no-training pledge, and security posture (87), supported by a broad sourced certification stack including ISO/IEC 27001/27017/27018/27701, SOC 2 Type 2, and HDS. Contractual posture (80) is the weakest dimension, held back by the missing AI Endpoints sub-processor disclosure and unconfirmed SCCs covering the SambaNova relationship. Stav's operational verdict: sovereign EU serving is available via direct OVHcloud API key; customers should avoid the Hugging Face routing path for regulated workloads, request a formal Article 28 addendum covering the SambaNova sub-processor before go-live, and monitor OVHcloud's ANSSI SecNumCloud Public Cloud qualification status for procurement mandates requiring that standard.
Inference runs on OVHcloud-owned data centres (Gravelines, France primary; also Germany and Italy) with no US-hyperscaler dependency, though the exact EU-region list for AI Endpoints is not granularly published and some availability zones span non-EU regions (APAC, Canada).
OVH Groupe SA is French-incorporated with no US parent, carrying no CLOUD Act or FISA 702 exposure; the residual risk is the US-headquartered SambaNova hardware sub-processor whose data-processing role in the inference path is not formally documented in a public Article 28 register.
OVHcloud publicly pledges zero prompt/output retention and explicitly commits that data will never be used to train or improve AI models, though the precise scope of 'billing data' retained (token counts vs. request-level metadata) is not fully elaborated.
Risk assessment
AI Endpoints inference runs on OVHcloud-owned EU infrastructure. At GA launch the service was deployed from the Gravelines data centre (France) with availability in APAC, Canada, and Europe; subsequent expansion added Berlin and Italian regions. The product page states data is hosted in Europe. No US-hyperscaler region is involved—OVHcloud owns and operates its own hardware. However, the exact region list for EU-specific deployments is not granularly published in the AI Endpoints documentation reviewed. source ↗
DATA_RESIDENCYOVHcloud has launched an AI Endpoints inference platform partnership with SambaNova (US-headquartered AI chip company) using SambaNova's SambaStack platform and custom RDU hardware. SambaNova was reportedly exploring a sale in late 2025, with Intel said to be in discussions. The extent to which SambaNova processes customer inference traffic (prompt/output data) versus merely providing hardware is not publicly documented. No AI Endpoints-specific sub-processor list was found at the standard OVHcloud sub-processor URL. Regulated customers should request an Article 28 DPA addendum covering the SambaNova relationship before going live. source ↗
SUBPROCESSINGOVHcloud's product page explicitly states 'Zero data retention: We keep only the data required for billing purposes' and 'Your data will never be used to train or improve our AI models.' This is a publicly committed contractual pledge, not a per-customer opt-in. The exact definition of 'billing data' retained (token counts only, or IP/session metadata) is not elaborated in the reviewed documentation.
Safeguards
Inference physically runs on OVHcloud-owned European data centres (Gravelines, France primary; also Germany/Italy/Canada regions). OVHcloud designs, builds, and operates its own servers and data centres, with no dependency on a US hyperscaler for compute. source ↗
Explicit public pledge of zero prompt/output data retention: 'We keep only the data required for billing purposes' and 'Your data will never be used to train or improve our AI models.' source ↗
SecNumCloud 3.2 qualification (ANSSI) held for Hosted Private Cloud and Bare Metal Pod; covers 360+ technical, organisational, and legal requirements including protection against non-EU extraterritorial laws. Public Cloud (AI Endpoints underlying platform) SecNumCloud qualification targeted for end-2025. source ↗
ISO/IEC 27001:2022 (ISMS), ISO/IEC 27017:2015 (cloud security controls), ISO/IEC 27018:2019 (PII in public cloud), ISO/IEC 27701:2019 (privacy information management), HDS (Hébergement de Données de Santé — French health-data hosting certification) all confirmed in place. source ↗
Privacy-policy issues
AI Endpoints sub-processor list not publicly granular source ↗
No AI Endpoints-specific sub-processor disclosure page was found (the standard URL returned HTTP 404). The SambaNova hardware partnership for inference acceleration is disclosed in press releases but not in a formal GDPR Article 28 sub-processor register with data-flow and transfer mechanism details.
Billing-data retention scope not precisely defined source ↗
The product page states 'we keep only the data required for billing purposes' but does not specify whether this is limited to aggregate token counts or includes request-level metadata (timestamps, source IP, user identifiers), which may matter for GDPR data-minimisation analysis.
HF routing path introduces US-entity sub-processor source ↗
When using OVHcloud AI Endpoints via Hugging Face's inference provider routing (router.huggingface.co), Hugging Face (a US-incorporated entity) acts as an intermediary processor. Customers using their own OVHcloud API key bypass this, but HF-routed deployments require a separate DPA analysis with Hugging Face.
Certifications & legal documents
OVHcloud holds a strong, sourced certification stack—ISO/IEC 27001/27017/27018/27701, SOC 2 Type 2, and HDS—covering the AI Endpoints product scope; SecNumCloud 3.2 is confirmed for adjacent products but not yet for the Public Cloud AI Endpoints tier as of the research date.
A publicly available DPA, Terms & Conditions, and Privacy Policy exist under French law with GDPR Article 28 coverage; however, the AI Endpoints-specific sub-processor list URL returned 404 and the SambaNova relationship lacks a formal transfer-mechanism disclosure, leaving SCCs for that sub-processor unconfirmed.
OVH Groupe SA is incorporated and headquartered in Roubaix, France (RCS Lille Métropole 537 407 926). It is a French-law entity with no US parent company, meaning it is not subject to the CLOUD Act or FISA 702. French law applies to contractual disputes. SecNumCloud 3.2 qualification explicitly requires protection against non-EU extraterritorial laws. The voucher terms confirm 'French law applies.' The only residual exposure is the SambaNova sub-processor relationship (US-headquartered). source ↗
LEGAL_EXPOSUREOn 10 March 2021, OVHcloud's SBG2 data centre in Strasbourg was completely destroyed by fire, and four halls of SBG1 were damaged. Millions of websites went offline and some customers lost data because backups were co-located in the same facility. Recovery took more than two weeks for some services. Two companies subsequently won French court judgments totalling over €400,000 in damages. While OVHcloud has invested significantly in infrastructure post-incident, no AI Endpoints-specific multi-AZ or geo-redundancy SLA documentation was found in this run. source ↗
RESILIENCEIn 2017, OVHcloud suffered two serious outages: a power outage brought down the entire Strasbourg campus, and forty minutes later an unrelated software bug in networking equipment took down the Roubaix campus. These pre-date the current AI Endpoints product but indicate a historical pattern of systemic incidents. OVHcloud has since invested substantially in resilience engineering. source ↗
RESILIENCEWhen using OVHcloud AI Endpoints via the Hugging Face inference provider routing path, requests transit through Hugging Face's router (router.huggingface.co). Traffic routed via HF uses the HF token and billing flows through HF's account, not directly to OVHcloud. This introduces Hugging Face (a US entity) as an additional data processor for the routing layer. Customers using their own OVHcloud API key bypass this path and connect directly. source ↗
SUBPROCESSINGOVHcloud holds ISO/IEC 27001:2022, 27017, 27018, 27701, HDS, and SecNumCloud 3.2 qualifications. SecNumCloud 3.2 (the highest French sovereign cloud standard, issued by ANSSI) was obtained for Hosted Private Cloud/VMware (renewed Jan 2024) and Bare Metal Pod (March 2025). OVHcloud has publicly stated it plans to file for SecNumCloud qualification of Public Cloud services (including AI Endpoints' underlying platform) targeting end-2025, but this qualification has not been confirmed as completed for the AI Endpoints product specifically as of the research date. source ↗
SECURITYPCI DSS 3.2 PSP Level 1, EBA Outsourcing Guidelines compliance (for European financial-sector customers), and ACPR Outsourcing Guidelines (France) are listed on OVHcloud's compliance page. source ↗
DPA, Terms & Conditions, and Privacy Policy are publicly available. French-law governed. OVHcloud is the contracting legal entity (OVH Groupe SA affiliates, registered in France). Contractual framework covers GDPR Article 28 obligations. source ↗
SecNumCloud-qualified infrastructure is operated, maintained, and monitored exclusively by personnel based in Europe, providing additional supply-chain sovereignty assurance beyond data-at-rest location. source ↗
OVHcloud publishes a public status portal (status.ovhcloud.com) with separate sub-portals for Public Cloud, Bare Metal, Hosted Private Cloud, and Network, enabling real-time incident tracking. source ↗
OVHcloud operates 43 data centres across 4 continents with over 450,000 servers. AI Endpoints uses an integrated, vertically-owned infrastructure stack (OVHcloud designs its own servers and operates its own fibre network), minimising dependency on third-party infrastructure operators for the core compute layer. source ↗
OVHcloud uses water-cooled, energy-efficient servers in bespoke data centres. SecNumCloud 3.2 natively integrates data encryption, key management, network isolation, and access control at the platform level. source ↗
SecNumCloud qualification gap for AI Endpoints product tier source ↗
SecNumCloud 3.2 is confirmed for OVHcloud's Hosted Private Cloud and Bare Metal Pod products. The Public Cloud services underpinning AI Endpoints were not SecNumCloud-qualified as of the research date; OVHcloud filed for qualification in May 2025 targeting end-2025 completion, but no confirmation was found in this run.