Loading the catalogue…
Loading the catalogue…
Pay-per-token open-model inference from Scaleway (Iliad Group), OpenAI-compatible, EU-hosted.
Compliance posture
Routed through Stav's upstream relationship with this operator.
Stav's assessment · serving-side
Scaleway Generative APIs is operated by Scaleway S.A.S., a French SAS incorporated in Paris with no US parent and no CLOUD Act or FISA 702 exposure, serving inference exclusively from its own GPU infrastructure in the FR-PAR (Paris) data centre — one of the strongest jurisdictional postures available to EU-regulated customers. Legal exposure scores the highest of all dimensions (92) reflecting the clean sovereignty chain from operator through sub-processors; serving residency is close behind (88) but is capped by Scaleway's own disclosure that Paris-only hosting 'may change in the future.' The two dimensions that moderate the composite to the conditional band are security posture (78) — where SecNumCloud qualification is still in-process and an undisclosed active CVE sits on the Trust Center — and contractual posture (78), where the DPA is publicly available and well-structured but grants a standing general authorisation for sub-processor changes without per-change advance notice and does not fully surface SCC annexes or audit-right detail in public documentation. Serving retention (80) is strong in default posture but carries a low-severity caveat around the underbounded exception-retention window on error and malicious-traffic events. Stav's operational verdict: sovereign serving is available for standard EU regulated workloads; customers with French public-sector SecNumCloud mandates must await ANSSI final qualification before relying on that assurance level, and those requiring strict France-only residency or physical tenant isolation should contractually anchor the region and evaluate the Dedicated Deployment tier.
Inference runs exclusively on Scaleway-owned GPU hardware in FR-PAR (Paris) with no US hyperscaler underlayer, but Scaleway's own documentation notes the single-region posture 'may change in the future,' introducing a residency-drift risk that prevents a 90+ score.
Scaleway S.A.S. is a French-incorporated entity (RCS Paris 433 115 904), a subsidiary of French Iliad Group, with no US parent and no CLOUD Act / FISA 702 hook; sub-processors are likewise EU-domiciled per the published list, making this the strongest sovereignty signal in the profile.
Zero-retention is the default — prompts and outputs are not logged, stored, or used for training — but Scaleway explicitly reserves the right to temporarily retain prompt content on HTTP 500 errors or suspected malicious activity, with no publicly documented maximum retention period or access-control log for that exception path.
Risk assessment
SecNumCloud qualification is still in-process (ANSSI J0 milestone passed January 2025, targeting end-2025 completion) but the final qualification has not yet been awarded. Until awarded, the highest French governmental assurance of extraterritorial-law immunity is absent for regulated French/EU public-sector procurements that mandate it. source ↗
SECURITYScaleway explicitly reserves the right to temporarily store HTTP request content (including prompt content) when abnormal errors (e.g. HTTP 500) or suspected malicious activity occur. The scope, duration, and access controls for this exception retention are not precisely quantified in public documentation. source ↗
SERVING_RETENTIONCurrent inference is limited to the FR-PAR (Paris) region only. Scaleway has explicitly stated this may expand ('This may change in the future'), meaning data residency guarantees could shift as new regions are added. Customers relying on France-only residency should monitor this. source ↗
DATA_RESIDENCYSafeguards
All inference runs exclusively on Scaleway-owned GPU infrastructure in French data centres (Paris, FR-PAR). No US hyperscaler or third-party cloud underlayer is used for the inference path; Scaleway maintains full control over model hosting without interaction with third-party services. source ↗
Scaleway is a French SAS (registered Paris, RCS 433 115 904) and a subsidiary of Iliad Group (French). 100% of employees, capital, and taxes are EU-domiciled. No US parent company exists, and CLOUD Act / FISA 702 extraterritorial reach does not apply. source ↗
Zero Data Retention Policy is the default for Generative APIs: prompts and outputs are not collected, read, reused, or analysed. Models are stateless — no prompt or completion is stored within the model after processing. Data is not used for training, retraining, or improving any model. source ↗
Customer inference data is explicitly isolated from other Scaleway customers and from LLM model creators. It is not used to improve Scaleway or third-party products, services, or models. source ↗
Privacy-policy issues
Exception retention scope not precisely bounded. source ↗
Scaleway reserves the right to temporarily store prompt/output content when errors or malicious activity are detected, but does not specify a maximum retention period or access-control log for this exception path in public documentation.
General authorisation for sub-processor changes — no advance per-change notice. source ↗
The DPA and sub-processor page grant Scaleway a standing general authorisation to add, modify, or remove sub-processors; customers are not guaranteed advance individual notification of each change, only a maintained public list.
Serverless tier uses shared (mutualized) GPU infrastructure — tenant isolation is logical, not physical. source ↗
The Generative APIs Serverless product explicitly runs on shared infrastructure; dedicated physical isolation requires migration to the Dedicated Deployment (formerly Managed Inference) product tier at higher cost.
Certifications & legal documents
ISO/IEC 27001:2022 and HDS certifications are current and sourced via the Trust Center; TLS in transit, encryption at rest, CSIRT, and penetration testing are documented, but SecNumCloud qualification remains in-process (not yet awarded) and a CVE (CVE-2026-46333) is listed as an active note on the Trust Center with severity not publicly determinable.
A publicly available English-language DPA (June 2024) covers GDPR processor obligations, EU-only transfer restrictions, and sub-processor controls with a clear legal counterparty (Scaleway S.A.S.), but the DPA grants standing general authorisation for sub-processor changes without per-change advance notice, and explicit SCC annex documentation and audit-right scope are not fully detailed in publicly available materials.
Scaleway's DPA and sub-processor list grant customers general authorisation for Scaleway to add, modify, or remove sub-processors at any time. There is no contractual requirement for advance individual notice to customers of sub-processor changes — only a maintained public list. source ↗
SUBPROCESSINGGenerative APIs Serverless runs on shared (multi-tenant) GPU infrastructure. Scaleway explicitly states it cannot 'strictly guarantee performance, especially during customer peak loads.' An Object Storage incident in September–October 2024 (affecting a different product) demonstrated infrastructure-level failure modes that crossed SLA thresholds intra-month. source ↗
RESILIENCEScaleway is a subsidiary of Iliad Group (Xavier Niel), a listed French holding company. While this means it is not directly CLOUD Act-exposed, corporate transactions (e.g. sale, restructuring) at the Iliad Group level could alter the sovereignty posture. No current indicators of such risk. source ↗
GOVERNANCEISO/IEC 27001:2022 certified (started 2018). Certificate and Statement of Applicability available via Scaleway Trust Center (security.scaleway.com). source ↗
HDS (Hébergeur de Données de Santé) certified since July 2024, awarded by BSI Group under supervision of the French National Agency for Digital Health (ANS). No transfer of personal health data outside France or the EEA under HDS-scope offers. source ↗
SecNumCloud qualification process formally initiated in January 2025 (ANSSI J0 milestone passed without reservations). Full qualification targeted for end-2025 / early 2026. When awarded, this will be the highest French government cloud sovereignty assurance. source ↗
All traffic between customer and inference service is encrypted using TLS (HTTPS) in transit. Data stored during batch processing is protected with encryption at rest. Public-facing endpoints are secured with API key tokens. Qualys SSL Labs rating A+ for Scaleway Elements and Dedibox APIs confirmed via Trust Center. source ↗
Scaleway operates a dedicated CSIRT (Computer Security Incident Response Team) with defined responsibilities for incident detection, assessment, emergency response, forensic analysis, and coordinated disclosure. source ↗
Trust Center (security.scaleway.com, powered by SafeBase) publicly lists HDS and ISO/IEC 27001 certificates, an SoA, DPA, privacy policy, sub-processor list, and security controls including MFA, RBAC, audit logging, penetration testing, disk encryption, and mobile device management. source ↗
A publicly available DPA (version June 2024) is published in English. It covers: GDPR data processor obligations, sub-processor controls, data transfer restrictions (no transfer outside EU without client agreement), and obligation to notify client before any third-country transfer. source ↗
Sub-processor list is publicly maintained and all sub-processors are subject to Scaleway's security and data protection control procedures to maintain equivalent compliance standards. source ↗
Scaleway publishes a public status page (status.scaleway.com) with historical incident records, real-time component status, and maintenance windows. Blog-format post-incident reports are published for significant events. source ↗
Scaleway's data privacy page for Generative APIs explicitly documents what is collected, what is not stored, the exception for malicious/error traffic, isolation guarantees, and encryption controls — providing a clear and verifiable privacy posture. source ↗
Scaleway maintained overall SLA compliance during an Object Storage infrastructure incident in September–October 2024 (99.93% uptime vs. 99.0% SLA target). Post-incident report published with root cause analysis and remediation commitments. source ↗
Future data residency expansion could shift FR-only guarantee. source ↗
Scaleway's own documentation notes that current Paris-only hosting 'may change in the future,' meaning customers requiring strict France-only residency should contractually anchor this or monitor region expansion announcements.