vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eac77ef7b4b5a87f0a35a1181dacb4013b09b996
vm-skills/operator-bootstrap/references/eu_data_sovereignty.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

70 lines
2.5 KiB
Markdown
Raw Blame History

# EU Data Sovereignty Requirements
## Overview
This skill operates under EU data sovereignty principles, ensuring all data remains within EU jurisdiction and complies with applicable regulations.
## Regulatory Framework
### GDPR (General Data Protection Regulation)
Key requirements for infrastructure operators:
1. **Data Residency** - Personal data of EU residents must be processed in compliance with GDPR, regardless of where processing occurs
2. **Legal Basis** - All data processing must have a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
3. **Data Subject Rights** - Infrastructure must support right to access, rectification, erasure, portability, and objection
4. **Security** - Appropriate technical and organizational measures required
### Schrems II Implications
Following the Court of Justice ruling (C-311/18):
- Standard Contractual Clauses alone may not be sufficient for US transfers
- Supplementary measures may be required
- Self-hosted EU infrastructure avoids many transfer concerns
## Implementation in This Skill
### Encryption
- **GPG Keys**: Generated and stored locally on EU infrastructure
- **No Cloud KMS**: Keys never leave the operator's control
- **Pass Store**: Encrypted at rest with local GPG keys
### Network Access
- **Cloudflare Tunnels**: Traffic routed through EU Cloudflare PoPs when possible
- **No Direct US Routing**: Configure Cloudflare region preferences
- **SSH Keys**: Ed25519 primary (modern, efficient)
### Data Storage
- **GitOps Repositories**: Stored on local EU infrastructure
- **Secrets**: Encrypted before storage, never in plaintext
- **Audit Logs**: Retained locally, not exported to non-EU services
## Jurisdiction
This skill is designed for operators in **Ireland (Dublin)** and assumes:
- Irish law applies as the primary jurisdiction
- Data Protection Commission (DPC) is the supervisory authority
- Irish implementation of GDPR applies
## Compliance Checklist
Before deploying infrastructure bootstrapped with this skill:
- [ ] Identify lawful basis for any personal data processing
- [ ] Document data flows and storage locations
- [ ] Implement appropriate access controls
- [ ] Establish incident response procedures
- [ ] Configure data retention policies
- [ ] Prepare for data subject requests
## References
- [GDPR Official Text](https://eur-lex.europa.eu/eli/reg/2016/679/oj)
- [DPC Guidance](https://www.dataprotection.ie/en/organisations)
- [EDPB Guidelines](https://edpb.europa.eu/our-work-tools/general-guidance_en)
Reference in New Issue View Git Blame Copy Permalink