Your data does not leave the region you pinned.
Region routing is enforced in code, not in a policy PDF. We sign your DPA, your BAA, and your sovereign-cloud agreement on our paper. The contracts your Legal team asks for, in the regions your compliance team requires.
BAA
HIPAA §164.504(e)-compliant Business Associate Agreement. In-scope on Dedicated for healthcare.
Request the BAA →India DPDPA
Addendum aligned with India's Digital Personal Data Protection Act obligations.
Request the addendum →Sovereign-cloud
Template agreement for EU regulated buyers requiring sovereign-cloud guarantees.
Request the template →Three regions. Strict residency. No silent failover.
Each region is a separate control plane with its own model serving fleet, its own metering pipeline, and its own data path. A US request never touches EU disks. An EU request never touches India disks. If a region is degraded, requests pinned to that region return errors rather than failing over silently.
Northern Virginia · Phoenix
api.us.clusterbid.eu
All 6 launch models incl. Hermes-3 (beta)
Inference API · Dedicated · Fine-Tuning
DPA · BAA · CCPA addendum
Frankfurt am Main
api.eu.clusterbid.eu
5 launch models · Hermes-3 in Phase 2
Inference API · Dedicated · Fine-Tuning
GDPR · DPA · sovereign-cloud agreement template
Mumbai (Maharashtra)
api.in.clusterbid.eu
5 launch models · Hermes-3 in Phase 2
Inference API · Dedicated · Fine-Tuning
DPDPA addendum · DPA
What we have. What's in flight. What we'll never claim.
We do not list certifications we have not started. Current state below — refresh date in the trust center.
| Item | Status | Detail |
|---|---|---|
| SOC 2 Type I | in progress | Readiness assessment in flight. Audit period opens Q3. |
| SOC 2 Type II | audit Q4 | Audit period opens after Type I; report ~Q1 next year. |
| GDPR | compliant | Article 28 DPA on our paper. SCCs annex bundled. Frankfurt-resident control plane. |
| HIPAA | BAA available | Section 164.504(e)-compliant BAA. In-scope on Dedicated for healthcare workloads. |
| India DPDPA | addendum available | Aligned with data fiduciary obligations. Mumbai-resident control plane for IN. |
| EU AI Act | see whitepaper | GPAI obligations + downstream provider mapping in the security whitepaper. |
Three ways your security team can verify us.
Customer-led penetration testing
Permitted on Dedicated deployments, scoped via Letter of Authorization. Pen-test runbook on request.
Annual SOC 2 report sharing
Under NDA, sent within 5 business days of audit completion. Subscribe via support@clusterbid.eu.
Custom audit on request
ACV $500K+ contracts get a custom audit pack — sub-processor diligence, encryption-at-rest evidence, BCP/DR test results.
Most sovereignty conversations are 30 minutes.
Bring your Legal counsel and your CISO. We bring the DPA, the sub-processor list, and the control plane architecture. No NDA needed for the first call.