vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/operator-bootstrap/references/eu_data_sovereignty.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

2.5 KiB
Raw Blame History

EU Data Sovereignty Requirements

Overview

This skill operates under EU data sovereignty principles, ensuring all data remains within EU jurisdiction and complies with applicable regulations.

Regulatory Framework

GDPR (General Data Protection Regulation)

Key requirements for infrastructure operators:

  1. Data Residency - Personal data of EU residents must be processed in compliance with GDPR, regardless of where processing occurs
  2. Legal Basis - All data processing must have a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
  3. Data Subject Rights - Infrastructure must support right to access, rectification, erasure, portability, and objection
  4. Security - Appropriate technical and organizational measures required

Schrems II Implications

Following the Court of Justice ruling (C-311/18):

  • Standard Contractual Clauses alone may not be sufficient for US transfers
  • Supplementary measures may be required
  • Self-hosted EU infrastructure avoids many transfer concerns

Implementation in This Skill

Encryption

  • GPG Keys: Generated and stored locally on EU infrastructure
  • No Cloud KMS: Keys never leave the operator's control
  • Pass Store: Encrypted at rest with local GPG keys

Network Access

  • Cloudflare Tunnels: Traffic routed through EU Cloudflare PoPs when possible
  • No Direct US Routing: Configure Cloudflare region preferences
  • SSH Keys: Ed25519 primary (modern, efficient)

Data Storage

  • GitOps Repositories: Stored on local EU infrastructure
  • Secrets: Encrypted before storage, never in plaintext
  • Audit Logs: Retained locally, not exported to non-EU services

Jurisdiction

This skill is designed for operators in Ireland (Dublin) and assumes:

  • Irish law applies as the primary jurisdiction
  • Data Protection Commission (DPC) is the supervisory authority
  • Irish implementation of GDPR applies

Compliance Checklist

Before deploying infrastructure bootstrapped with this skill:

  • Identify lawful basis for any personal data processing
  • Document data flows and storage locations
  • Implement appropriate access controls
  • Establish incident response procedures
  • Configure data retention policies
  • Prepare for data subject requests

References

Reference in New Issue View Git Blame Copy Permalink