GreenClaims Manager and Data Protection: An overview of our infrastructure

GreenClaims Manager and Data Protection: An overview of our infrastructure

Why infrastructure is crucial for a compliance tool

A compliance tool that checks other parties’ communications for legal compliance is itself subject to increased scrutiny. If the tool’s own servers are located in the US, the product can, in principle, function, but this creates a dilemma for European customers. The US Cloud Act allows US authorities to access data stored on servers belonging to US providers, regardless of their physical location. EU-US data transfer agreements such as the EU-US Data Privacy Framework do not fundamentally alter this situation.

For a tool that processes potentially sensitive communication data, internal analyses and customer information, this represents a structural risk. We therefore opted for a consistently European infrastructure right from the start.

Our fundamental position

GreenClaims Manager runs on infrastructure that is located entirely in Germany and thus within the EU. We do not use any US cloud services to operate the platform, no AWS, no Microsoft Azure, no Google Cloud. No US CDNs are used for content delivery.

This is a deliberate decision: regardless of the EU–US data transfer agreement in force at any given time, we do not wish to be dependent on it. Political agreements change, as do legal interpretations, an infrastructure located entirely within the EU remains largely unaffected by such changes.

Our infrastructure, transparent

The GreenClaims Manager runs on dedicated servers at Hetzner Online GmbH, a German data centre operator with sites in Germany and Finland. Hetzner is subject to German and European law, not the US Cloud Act.

Server IP: 5.9.146.5

You can verify this yourself: a search on ipinfo.io or whois.com confirms Hetzner as the operator, based in Germany. Anyone wishing to verify independently that no US infrastructure is involved can do so using public tools.

All scan results, findings, compliance reports and user data are stored in encrypted form on these servers. There is no replication in US data centres.

What happens to your data during the website scan

Crawling on EU infrastructure

When you scan a domain, GreenClaims Manager crawls the publicly accessible pages of that domain. This crawling process runs on Hetzner’s infrastructure, the page content does not leave the European legal jurisdiction during this process.

Encrypted storage

The crawled content is analysed and the scan results are stored in encrypted form in Germany. Only you and the team members you have invited have access to your scan data. Platform administrators have no access to your content data.

Deletion options

You can delete scan data at any time. Upon request, we will export your data and remove it from the live systems after a defined period. Backups are retained for 30 days; after this period, backups are also permanently deleted.

Quick question: Try it for yourself, experience our German infrastructure

You have now read about where your data is stored and how the scanning process works. See for yourself: start a scan of your domain and watch the analysis run on Hetzner servers in Germany.

Check your own website now, free of charge...

Free · No credit card · Results in 10-15 min.

Moving on to the question of what is transmitted to external APIs during the claim evaluation:

Evaluation of individual claims: What is transmitted to external providers, and what isn’t

Why external APIs are used

For the algorithmic evaluation of individual environmental claims, we rely on external analysis APIs, specifically: OpenAI and Anthropic (Claude). These APIs specialise in pattern recognition in natural language text and achieve a level of precision that cannot be replicated by purely rule-based systems.

What is transferred

Only individual, isolated environmental claims, that is, the specific textual statement such as ‘100% climate-neutral’. These are passed to the analysis API without your company name, without URL context, and without surrounding content.

What is not transmitted

No complete page content, no entire documents, no page context, and no metadata relating to your domain. We deliberately transmit only the minimum required for the assessment.

No model training using your data

Both OpenAI and Anthropic have stipulated in their API Terms of Use and Data Processing Agreements that API data must not be used for model training. We have reviewed these agreements in advance and they form the basis of our use.

Data Processing Agreement (DPA)

If you use GreenClaims Manager in a business context, we will enter into a Data Processing Agreement with you in accordance with Article 28 of the GDPR. For Enterprise customers, we draw up bespoke Data Processing Agreements on request, tailored to internal compliance requirements.

GDPR-compliant, in concrete terms

“GDPR-compliant” is a claim that is often made but rarely specified. In concrete terms, this means the following for GreenClaims Manager:

  • Data minimisation (Article 5): We only collect data that is strictly necessary for the platform to function and for analysis.
  • Storage limitation (Art. 5): Scan data is deleted after 90 days, unless you configure otherwise.
  • Encryption (Art. 32): Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Right of access (Art. 15): You may request an export of your data at any time.
  • Right to erasure (Art. 17): You may request the erasure of your data, without giving any reason.

Data controller and contact details

The data controller within the meaning of the GDPR is Papoo Software & Media GmbH. You can contact our Data Protection Officer at datenschutz@greenclaimsmanager.com. We usually respond to specific enquiries regarding data processing within 5 working days.

Conclusion: Infrastructure as a compliance decision

For a compliance tool, infrastructure is not merely a technical detail, but an integral part of the service. US cloud infrastructure inherently entails exposure to the Cloud Act, and thus a risk that European customers need not bear. Our decision to use exclusively German servers hosted by Hetzner, to minimise data transfers to analytics APIs and to implement clear data deletion processes is not a marketing ploy, but a direct consequence of our product promise.

Frequently Asked Questions

Where are the servers physically located?

On Hetzner servers located in Germany (Frankfurt/Helsinki). The IP address 5.9.146.5 can be verified via public Whois services.

Is my scan data used for training models?

No. We neither use your data for our own model training nor do we allow our API providers (OpenAI, Anthropic) to use it for training. These arrangements are set out in our contracts.

Can I use the platform without making external API calls?

For Enterprise customers, we offer a configuration that uses rule-based analysis exclusively, without any external API calls. The detection accuracy is lower for certain patterns, but sufficient for many use cases. Please get in touch with us.

What happens if I delete my account?

We will delete all your data from the live systems within 30 days. Backups will be overwritten after a further 30 days. You can export your data in advance, we provide your data in machine-readable JSON format.

Disclaimer

This article describes our technical infrastructure and internal policies. It does not constitute legal advice. For a legal assessment of your specific situation, we recommend consulting a solicitor specialising in data protection law.


Back to top