Most internal tools inherit their jurisdiction by accident. A team reaches for the fastest SaaS to hand, the data lands wherever that vendor happens to run, and a year later someone in legal is asking where the customer records actually live — and getting an uncomfortable answer. For a growth-stage company operating under GDPR, and increasingly under NIS2 and the EU AI Act, that accident is a liability waiting for an audit.
NordOps builds the other way around. When I build custom operational software, EU data residency is fixed before a single table is designed. The runtime and the source both sit in Germany, under EU jurisdiction, with no US legal exposure by construction. You do not retrofit compliance onto a system that was architected somewhere else — you start there.
Data residency as a design requirement, not a retrofit
There is a real difference between software that happens to run in Europe and software that was designed to. The first kind can be moved, re-pointed, or quietly re-hosted the next time a vendor changes its infrastructure. The second kind treats the location of your data as part of the specification — something the architecture guarantees rather than something a settings page promises.
For GDPR-compliant custom internal tools in the EU, that distinction shows up in the boring, load-bearing details:
- Where records rest. Every store — database, file storage, backups, logs — is provisioned inside the EU from the start, not migrated later.
- Where processing happens. Background jobs, AI-assisted steps, and integrations run in-region, so data does not quietly leave the bloc to be processed elsewhere.
- Who has jurisdiction. Hosting in Germany means EU law governs the infrastructure, with no US jurisdiction reaching into the runtime or the source.
Because these are decisions made at design time, they hold up when someone finally asks the hard question. Data residency for custom operational software in Europe stops being a hopeful assertion and becomes a property of the system you can point to.
Source and runtime in Germany, no US jurisdiction
Both halves of the build live in the EU. The runtime — the servers your team actually uses day to day — runs in Germany. The source code — the repository, the build pipeline, the record of exactly what the software does — is hosted in the EU too. Neither is exposed to US jurisdiction, and neither depends on a US-owned platform sitting silently in the path.
That matters because residency is only as strong as its weakest link. It is not enough for the database to be in Frankfurt if the deployment pipeline, the error logs, or an embedded third-party service reach across the Atlantic. EU-hosted custom business software has to be EU-hosted all the way down — and a build kept small enough to own is a build small enough to verify that it is.
A penetration test and report is included with every build module — so the security posture of your EU-hosted system is documented, not assumed.
What handoff looks like — you choose the destination
Owning the software means owning where it lives. Every engagement transfers full source-code ownership to you, and with it the freedom to decide the destination. There is no lock-in, no subscription, and no dependency on NordOps continuing to host anything.
At handoff you can:
- Keep it where it runs — leave the runtime in Germany and carry on, with the source now fully in your hands.
- Move it into your own EU tenancy — deploy the transferred source onto your own infrastructure, still inside the EU, under your own accounts.
- Take it anywhere you are entitled to — the code is yours; the residency choice becomes yours to make and re-make as your obligations evolve.
The foundation of every build — the Admin Portal and Processor, bundled as one build module — ships with the same ownership terms as everything scoped on top of it. You are never renting the thing your operation depends on.
Regulatory fluency is deployment expertise — not compliance consulting
One clarification, said plainly: NordOps is not a compliance-consulting service, and this is not legal advice. I do not audit your GDPR programme, write your NIS2 policies, or sign off on your EU AI Act posture. That work belongs with your counsel and your data-protection lead.
What I bring is deployment expertise — the fluency to build software that sits comfortably inside those regimes because the residency, the data flows, and the jurisdiction were engineering decisions from the beginning. The distinction is the difference between advising you on the rules and building software that already respects them. My job is to make sure the tool you own is one your compliance function can defend, not one they have to explain away.
When EU-hosted custom business software is designed this way — residency first, source and runtime in Germany, ownership transferred outright — data residency stops being a recurring worry and becomes a settled fact about how your operation runs.