# EU Data Sovereignty Requirements

## Overview

This skill operates under EU data sovereignty principles, ensuring all data remains within EU jurisdiction and complies with applicable regulations.

## Regulatory Framework

### GDPR (General Data Protection Regulation)

Key requirements for infrastructure operators:

1. **Data Residency** - Personal data of EU residents must be processed in compliance with GDPR, regardless of where processing occurs
2. **Legal Basis** - All data processing must have a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
3. **Data Subject Rights** - Infrastructure must support right to access, rectification, erasure, portability, and objection
4. **Security** - Appropriate technical and organizational measures required

### Schrems II Implications

Following the Court of Justice ruling (C-311/18):

- Standard Contractual Clauses alone may not be sufficient for US transfers
- Supplementary measures may be required
- Self-hosted EU infrastructure avoids many transfer concerns

## Implementation in This Skill

### Encryption

- **GPG Keys**: Generated and stored locally on EU infrastructure
- **No Cloud KMS**: Keys never leave the operator's control
- **Pass Store**: Encrypted at rest with local GPG keys

### Network Access

- **Cloudflare Tunnels**: Traffic routed through EU Cloudflare PoPs when possible
- **No Direct US Routing**: Configure Cloudflare region preferences
- **SSH Keys**: Ed25519 primary (modern, efficient)

### Data Storage

- **GitOps Repositories**: Stored on local EU infrastructure
- **Secrets**: Encrypted before storage, never in plaintext
- **Audit Logs**: Retained locally, not exported to non-EU services

## Jurisdiction

This skill is designed for operators in **Ireland (Dublin)** and assumes:

- Irish law applies as the primary jurisdiction
- Data Protection Commission (DPC) is the supervisory authority
- Irish implementation of GDPR applies

## Compliance Checklist

Before deploying infrastructure bootstrapped with this skill:

- [ ] Identify lawful basis for any personal data processing
- [ ] Document data flows and storage locations
- [ ] Implement appropriate access controls
- [ ] Establish incident response procedures
- [ ] Configure data retention policies
- [ ] Prepare for data subject requests

## References

- [GDPR Official Text](https://eur-lex.europa.eu/eli/reg/2016/679/oj)
- [DPC Guidance](https://www.dataprotection.ie/en/organisations)
- [EDPB Guidelines](https://edpb.europa.eu/our-work-tools/general-guidance_en)