Cortecs
GDPR Compliance
Data Handling
Cortecs states that data is processed entirely within Europe and that customers can route only to zero-data-retention endpoints. However, its privacy policy and DPA list inference sub-processors including Microsoft Ireland Operations Limited, Google Cloud EMEA Limited, and Amazon Web Services EMEA SARL with processing location(s) in the EEA and transfer basis listed as the EU-US Data Privacy Framework. The docs also show customers can configure routing to specific providers, including Beta providers, so EU-only inference depends on routing configuration rather than an unconditional platform-wide guarantee.
Cortecs says prompts and completions are processed only in volatile memory and are not written to persistent storage; once the API response is returned, payload data is immediately discarded from Cortecs infrastructure. System logs retain only operational metadata such as timestamps, token counts, and error codes. Upstream provider retention may still apply unless the customer enables Zero Data Retention routing.
Cortecs states customer data is never used for model training. The customer can configure routing to providers with Zero Data Retention and is responsible for avoiding providers whose retention policies do not meet compliance requirements.
Certifications & EU AI Act
No certifications disclosed.
Cortecs' Code of Conduct states it is not to be qualified as a provider within the meaning of Art. 3 no. 3 AI Act because it offers a routing service and does not develop, market, operate under its own name, or substantially modify general-purpose AI models.
Verification
Cortecs provides a public privacy policy, public Art. 28 GDPR DPA, and a public sub-processor disclosure. Its own materials strongly emphasize EU residency and no training, but the primary documents show that inference can involve EEA entities using the EU-US Data Privacy Framework and that compliance depends on customer routing choices, especially for zero-retention/EU-constrained operation.