A compliance tool that checks other parties’ communications for legal compliance is itself subject to increased scrutiny. If the tool’s own servers are located in the US, the product can, in principle, function, but this creates a dilemma for European customers. The US Cloud Act allows US authorities to access data stored on servers belonging to US providers, regardless of their physical location. EU-US data transfer agreements such as the EU-US Data Privacy Framework do not fundamentally alter this situation.
For a tool that processes potentially sensitive communication data, internal analyses and customer information, this represents a structural risk. We therefore opted for a consistently European infrastructure right from the start.
GreenClaims Manager runs on infrastructure that is located entirely in Germany and thus within the EU. We do not use any US cloud services to operate the platform, no AWS, no Microsoft Azure, no Google Cloud. No US CDNs are used for content delivery.
This is a deliberate decision: regardless of the EU–US data transfer agreement in force at any given time, we do not wish to be dependent on it. Political agreements change, as do legal interpretations, an infrastructure located entirely within the EU remains largely unaffected by such changes.
The GreenClaims Manager runs on dedicated servers at Hetzner Online GmbH, a German data centre operator with sites in Germany and Finland. Hetzner is subject to German and European law, not the US Cloud Act.
Server IP: 5.9.146.5
You can verify this yourself: a search on ipinfo.io or whois.com confirms Hetzner as the operator, based in Germany. Anyone wishing to verify independently that no US infrastructure is involved can do so using public tools.
All scan results, findings, compliance reports and user data are stored in encrypted form on these servers. There is no replication in US data centres.
When you scan a domain, GreenClaims Manager crawls the publicly accessible pages of that domain. This crawling process runs on Hetzner’s infrastructure, the page content does not leave the European legal jurisdiction during this process.
The crawled content is analysed and the scan results are stored in encrypted form in Germany. Only you and the team members you have invited have access to your scan data. Platform administrators have no access to your content data.
You can delete scan data at any time. Upon request, we will export your data and remove it from the live systems after a defined period. Backups are retained for 30 days; after this period, backups are also permanently deleted.
You have now read about where your data is stored and how the scanning process works. See for yourself: start a scan of your domain and watch the analysis run on Hetzner servers in Germany.
Check your own website now, free of charge...
Free · No credit card · Results in 10-15 min.
Moving on to the question of what is transmitted to external APIs during the claim evaluation:
For the algorithmic evaluation of individual environmental claims, we rely on external analysis APIs, specifically: OpenAI and Anthropic (Claude). These APIs specialise in pattern recognition in natural language text and achieve a level of precision that cannot be replicated by purely rule-based systems.
Only individual, isolated environmental claims, that is, the specific textual statement such as ‘100% climate-neutral’. These are passed to the analysis API without your company name, without URL context, and without surrounding content.
No complete page content, no entire documents, no page context, and no metadata relating to your domain. We deliberately transmit only the minimum required for the assessment.
Both OpenAI and Anthropic have stipulated in their API Terms of Use and Data Processing Agreements that API data must not be used for model training. We have reviewed these agreements in advance and they form the basis of our use.
If you use GreenClaims Manager in a business context, we will enter into a Data Processing Agreement with you in accordance with Article 28 of the GDPR. For Enterprise customers, we draw up bespoke Data Processing Agreements on request, tailored to internal compliance requirements.
“GDPR-compliant” is a claim that is often made but rarely specified. In concrete terms, this means the following for GreenClaims Manager:
The data controller within the meaning of the GDPR is Papoo Software & Media GmbH. You can contact our Data Protection Officer at datenschutz@greenclaimsmanager.com. We usually respond to specific enquiries regarding data processing within 5 working days.
For a compliance tool, infrastructure is not merely a technical detail, but an integral part of the service. US cloud infrastructure inherently entails exposure to the Cloud Act, and thus a risk that European customers need not bear. Our decision to use exclusively German servers hosted by Hetzner, to minimise data transfers to analytics APIs and to implement clear data deletion processes is not a marketing ploy, but a direct consequence of our product promise.
On Hetzner servers located in Germany (Frankfurt/Helsinki). The IP address 5.9.146.5 can be verified via public Whois services.
No. We neither use your data for our own model training nor do we allow our API providers (OpenAI, Anthropic) to use it for training. These arrangements are set out in our contracts.
For Enterprise customers, we offer a configuration that uses rule-based analysis exclusively, without any external API calls. The detection accuracy is lower for certain patterns, but sufficient for many use cases. Please get in touch with us.
We will delete all your data from the live systems within 30 days. Backups will be overwritten after a further 30 days. You can export your data in advance, we provide your data in machine-readable JSON format.
This article describes our technical infrastructure and internal policies. It does not constitute legal advice. For a legal assessment of your specific situation, we recommend consulting a solicitor specialising in data protection law.