|
1 | | -Data residency |
2 | | -============== |
| 1 | +Data residency and EU cloud sovereignty |
| 2 | +======================================= |
3 | 3 |
|
4 | | -All **Weblate Cloud** and **Hosted Weblate** services are hosted entirely within the **European Union**. |
5 | | -This ensures strong data protection, clear jurisdiction, and compliance with European privacy standards. |
| 4 | +This page describes data-residency and cloud-sovereignty properties of Weblate |
| 5 | +services operated by Weblate s.r.o., including **Hosted Weblate** and |
| 6 | +**Weblate Cloud**. It does not describe arbitrary self-hosted Weblate |
| 7 | +deployments, where the deploying organization controls hosting, backups, |
| 8 | +integrations, legal basis, and retention. |
6 | 9 |
|
7 | | -Our infrastructure is provided by **Hetzner Online GmbH**, a German data center operator with a long-standing reputation for reliability and sustainability. |
8 | | -Hetzner’s facilities are certified under **ISO 27001** (information security) and **ISO 9001** (quality management), and are pursuing **ISO 50001** (energy management) certification. |
| 10 | +Weblate-operated services are designed for European data residency and customer |
| 11 | +control. The service operator is Weblate s.r.o., a company established in the |
| 12 | +European Union, and the primary hosting infrastructure is provided by Hetzner |
| 13 | +Online GmbH and Hetzner Finland Oy. |
9 | 14 |
|
10 | 15 | Where data lives |
11 | 16 | ---------------- |
12 | 17 |
|
13 | | -- All customer data, including translations, user information, and backups, is stored and processed within the EU. |
14 | | -- Primary data centers are located in **Germany**. |
15 | | -- No operational data leaves the EU unless explicitly requested by the customer (for example, for external backups or region-specific deployments). |
| 18 | +- Customer data, including translations, user information, operational data, |
| 19 | + and backups, is stored and processed within the European Union. |
| 20 | +- Primary service locations are in Germany. |
| 21 | +- No operational data leaves the EU unless explicitly requested or configured by |
| 22 | + the customer, for example by enabling external backups, repository hosting, |
| 23 | + authentication, e-mail, analytics, error reporting, or machine-translation |
| 24 | + integrations outside the EU. |
16 | 25 |
|
17 | | -Privacy and regulatory compliance |
18 | | ---------------------------------- |
| 26 | +Infrastructure provider |
| 27 | +----------------------- |
19 | 28 |
|
20 | | -Weblate Cloud and Hosted Weblate follow privacy-by-design principles and meet the requirements of **GDPR**. |
| 29 | +Weblate-operated services use Hetzner infrastructure. Hetzner Online GmbH and |
| 30 | +Hetzner Finland Oy are certified according to DIN ISO/IEC 27001:2022 for an |
| 31 | +information security management system covering infrastructure, operation, and |
| 32 | +customer support for their data center parks in Nuremberg, Falkenstein, and |
| 33 | +Helsinki. |
21 | 34 |
|
22 | | -Sustainability |
23 | | --------------- |
| 35 | +Hetzner states that its data centers use electricity from renewable sources. |
| 36 | +Its German data centers use hydropower, and its Finnish data center park has |
| 37 | +used hydropower since opening. |
24 | 38 |
|
25 | | -All hosting infrastructure operates on **100% renewable energy**, primarily sourced from **hydropower**. You can find more details at https://www.hetzner.com/unternehmen/nachhaltigkeit/. |
| 39 | +.. seealso:: |
| 40 | + |
| 41 | + * `Hetzner ISMS and data protection`_ |
| 42 | + * `Hetzner sustainability`_ |
| 43 | + |
| 44 | +EU cloud sovereignty |
| 45 | +-------------------- |
| 46 | + |
| 47 | +Weblate-operated services are intended to support common European cloud |
| 48 | +sovereignty requirements: |
| 49 | + |
| 50 | +- **Data sovereignty:** Weblate stores and processes customer data in the EU. |
| 51 | +- **Operational sovereignty:** Weblate s.r.o. operates the application service |
| 52 | + from within the EU using EU infrastructure providers. |
| 53 | +- **Legal sovereignty:** The service is provided by an EU company and uses EU |
| 54 | + hosting infrastructure. This reduces exposure to non-EU cloud operators, but |
| 55 | + does not remove every possible cross-border legal or integration dependency. |
| 56 | +- **Technical sovereignty:** Weblate is libre software and can be self-hosted, |
| 57 | + migrated, or run as a dedicated deployment when an organization needs stronger |
| 58 | + isolation or deployment-specific controls. |
| 59 | +- **Customer control:** Projects, translations, and user data can be exported or |
| 60 | + deleted. External integrations are optional and configurable. |
| 61 | + |
| 62 | +The operational controls around security incidents and service continuity are |
| 63 | +documented in :doc:`incident-response-plan` and |
| 64 | +:doc:`disaster-recovery-plan`. |
| 65 | + |
| 66 | +Cloud Sovereignty Framework |
| 67 | +--------------------------- |
| 68 | + |
| 69 | +The EU Cloud Sovereignty Framework and similar procurement frameworks are often |
| 70 | +described using Sovereignty Effectiveness Assurance Levels (SEAL). Weblate's |
| 71 | +target direction for operated services is alignment with the expectations of |
| 72 | +**SEAL-4 / Full Digital Sovereignty**, especially EU locality, EU operation, |
| 73 | +data portability, open-source software, and customer control. |
| 74 | + |
| 75 | +Weblate does not currently claim formal SEAL-4 certification, third-party |
| 76 | +attestation, or equivalent public-sector framework approval. Such a claim would |
| 77 | +depend on a formal assessment route and on provider-level evidence from |
| 78 | +subprocessors such as Hetzner. |
| 79 | + |
| 80 | +For procurement reviews, the current evidence points are: |
| 81 | + |
| 82 | +- Weblate s.r.o. is the EU service operator. |
| 83 | +- Customer data for Weblate-operated services is hosted and processed in the EU. |
| 84 | +- The application is libre software and can be independently deployed. |
| 85 | +- Customer projects and translations can be exported. |
| 86 | +- External integrations are optional and configurable. |
| 87 | +- Hetzner publishes ISO/IEC 27001:2022 certification for the relevant data |
| 88 | + center parks. |
| 89 | + |
| 90 | +Cloud and AI Development Act |
| 91 | +---------------------------- |
| 92 | + |
| 93 | +The EU Cloud and AI Development Act is still an emerging legislative and policy |
| 94 | +initiative. Until final legal text and implementation guidance are available, |
| 95 | +Weblate treats Cloud and AI Development Act questions as procurement and |
| 96 | +readiness questions rather than as a formal compliance certification. |
| 97 | + |
| 98 | +The current Weblate service design supports likely cloud and AI sovereignty |
| 99 | +questions in these areas: |
| 100 | + |
| 101 | +- **European cloud infrastructure:** Weblate-operated services use EU hosting |
| 102 | + for customer data and operational data. |
| 103 | +- **Open-source stack:** Weblate is libre software, reducing dependency on |
| 104 | + proprietary cloud application code. |
| 105 | +- **Portability:** Translation files, project data, and user data can be |
| 106 | + exported. |
| 107 | +- **No mandatory external AI provider:** Core Weblate workflows do not require |
| 108 | + external AI or machine-translation services. |
| 109 | +- **Configurable AI and machine translation:** Automatic suggestions can use |
| 110 | + third-party machine translation or LLM providers only when configured by an |
| 111 | + administrator or project owner. These services can receive source strings, |
| 112 | + translations, and related context, so their use should be reviewed against the |
| 113 | + customer's sovereignty and data-transfer requirements. |
| 114 | + |
| 115 | +Organizations that require AI processing to stay within a chosen jurisdiction |
| 116 | +can disable external machine-translation services or use a self-hosted provider |
| 117 | +such as LibreTranslate. |
| 118 | + |
| 119 | +.. seealso:: |
| 120 | + |
| 121 | + * :doc:`privacy-compliance` |
| 122 | + * :ref:`machine-translation-setup` |
| 123 | + * :ref:`docker-libretranslate` |
26 | 124 |
|
27 | 125 | Customer control |
28 | 126 | ---------------- |
29 | 127 |
|
30 | | -Customers retain full control over their data: |
31 | | -- Projects, translations, and user accounts can be exported or deleted at any time. |
32 | | -- External integrations are optional and fully configurable. |
33 | | -- Dedicated Weblate instances are available for organizations needing isolated or customized environments. |
| 128 | +Customers retain control over their Weblate data: |
| 129 | + |
| 130 | +- Project translation files can be downloaded from Weblate or synchronized back |
| 131 | + to the customer's repository. |
| 132 | +- User data can be exported and account removal can be requested as described in |
| 133 | + :doc:`privacy-compliance`. |
| 134 | +- External integrations, including code hosting, authentication, e-mail, |
| 135 | + backups, analytics, error reporting, and machine translation, are optional and |
| 136 | + should be configured according to the customer's transfer and processor |
| 137 | + requirements. |
| 138 | +- Dedicated Weblate instances are available for organizations needing stronger |
| 139 | + isolation or customized operational controls. |
| 140 | + |
| 141 | +Service legal documents |
| 142 | +----------------------- |
| 143 | + |
| 144 | +.. include:: /snippets/hosted-legal-documents.rst |
| 145 | + |
| 146 | +.. _Hetzner ISMS and data protection: https://www.hetzner.com/unternehmen/zertifizierung/ |
| 147 | +.. _Hetzner sustainability: https://www.hetzner.com/unternehmen/nachhaltigkeit/ |
0 commit comments