Splat Labs Enterprise customers operating in the European market can now store and process all geospatial data entirely within the EU. Every Gaussian Splat, point cloud, 3D model, annotation, and attached document — both at rest and in transit — stays within European borders, hosted on AWS infrastructure in Frankfurt, Germany (eu-central-1).
This is not partial localization. It is not metadata-in-the-US-with-files-in-Europe. It is complete, end-to-end data localization: upload, processing, storage, delivery, and encryption — all within the EU, on infrastructure governed by GDPR and the full stack of European data protection regulations.
For European construction firms, government agencies, surveyors, utilities, and any organization handling geospatial data about EU infrastructure or citizens, this eliminates the compliance friction of cross-border data transfers and the legal risk created by the US CLOUD Act.
The European 3D Data Boom
Europe's construction sector employs approximately 18 million people and generates nearly 9% of EU GDP. The European BIM market was valued at $2.44 billion in 2025 and is projected to reach $3.78 billion by 2030, growing at a 9.2% CAGR. Germany is expected to hold the largest share and register the fastest growth at 12.9% CAGR.
BIM mandates are accelerating across member states:
| Country | BIM Status |
|---|---|
| UK | Mandated BIM Level 2 for all centrally procured public projects since 2016; progressing toward BIM Level 3 |
| Italy | BIM mandatory for all public works exceeding €1 million since January 1, 2025 |
| Germany | BIM Deutschland guides digital transformation of public infrastructure; fastest-growing BIM market in Europe |
| Norway | Mandated BIM for public projects since 2010; one of the earliest adopters globally |
| Austria & Netherlands | Only EU member states with an Open BIM standard mandate |
| Spain | National BIM strategy released in 2023; increasingly required for large-scale infrastructure |
| France | 38% of construction companies report BIM use; government procurement increasingly requires it |
| Finland & Estonia | Leading in digital building permits and property registries |
The shift to 3D is producing massive volumes of geospatial data. Drones are routinely used for surveying across EU construction. 3D scanning and reality capture are identified as key growth areas. Digital twin adoption is accelerating, with the EU's new Construction Products Regulation mandating Digital Product Passports for construction materials. Cloud-based Common Data Environments are becoming essential for BIM compliance.
All of this data needs to be stored somewhere. And increasingly, EU regulations are making it clear that "somewhere" should be within the EU.
The EU Regulatory Stack
The EU has the most complex and layered data protection framework in the world. For a SaaS platform hosting geospatial data, multiple regulations interact simultaneously. Understanding this stack is essential for any organization handling 3D data in Europe.
GDPR — The Foundation
The General Data Protection Regulation, effective since May 2018, is the foundation of EU data protection. GDPR does not explicitly mandate data localization — but it creates enormous practical pressure to store data within the EEA.
Any transfer of personal data outside the EEA triggers Chapter V (Articles 44-50), requiring adequacy decisions, Standard Contractual Clauses (SCCs), or other approved mechanisms. The 2020 Schrems II ruling invalidated the EU-US Privacy Shield, finding US surveillance laws incompatible with EU fundamental rights. Organizations must conduct Transfer Impact Assessments (TIAs) for any cross-border transfer and reassess them regularly.
The enforcement numbers tell the story:
- Fines up to €20 million or 4% of global annual turnover, whichever is greater
- Meta fined €1.2 billion in 2023 for improper EU-to-US data transfers — the largest GDPR fine on record
- TikTok fined €530 million in 2025 for unlawfully transferring EU user data to China
- GDPR fines for cross-border transfer violations increased 18% year-over-year (2025 DLA Piper report)
- Average GDPR compliance costs €1.3 million annually for mid-sized firms, with data localization expenses accounting for 60% of budgets
The practical reality is straightforward: keeping data within the EEA under EU jurisdiction is by far the easiest and safest compliance path, especially for regulated sectors.
EU Data Act (Fully Applicable Since September 2025)
The EU Data Act adds a new layer of obligations for cloud service providers:
- Mandates data portability and interoperability for cloud services, including metadata and version history
- Requires providers to implement safeguards preventing third-country access to non-personal data stored in the EU if such access would violate EU or member state law
- Data can only be disclosed to foreign authorities under an international agreement or bilateral arrangement with a member state
- Customers can initiate a provider switch on two months' notice, with transitions completing within 30 days
- Cloud switching charges to be eliminated from January 2027
NIS2 Directive (Network and Information Security)
The NIS2 Directive applies to "essential entities" (energy, transport, healthcare, digital infrastructure, finance) and "important entities" (manufacturing, postal services, waste management, chemicals, digital services). As of mid-2025, only 14 of 27 member states have fully transposed NIS2 into national law.
Key requirements:
- Risk assessment, incident response and reporting, vendor supply chain risk management, vulnerability management, and encryption
- Board-level accountability — NIS2 allows for personal liability of management bodies for infringements
- Manufacturing sector is now covered, including electric equipment, machinery, and motor vehicles
- Construction supporting critical infrastructure falls within NIS2's broader scope — directly relevant for Splat Labs customers scanning bridges, power plants, and transport infrastructure
DORA (Digital Operational Resilience Act)
Fully applicable since January 17, 2025, DORA applies to financial entities (banks, insurance companies, investment firms, FinTechs) and their IT service providers:
- Requires resilience, exit strategies, multi-vendor survivability, and continuity under failure
- Article 28 mandates specific contractual provisions with all critical ICT providers: audit rights, data access guarantees, and incident support obligations
- Within the financial sector, DORA takes precedence over NIS2 where they overlap
This matters for Splat Labs because financial institutions — banks, REITs, investment firms — are increasingly using 3D scanning for property valuation, asset management, and real estate portfolio due diligence. If their 3D data platform is classified as a critical ICT provider, DORA requirements apply.
EU AI Act (Full Application: August 2, 2026)
- Penalties reaching 7% of global annual turnover for high-risk AI system violations
- High-risk AI systems must operate entirely under EU jurisdiction, including training pipelines, inference environments, logs, telemetry, and metadata
- Directly relevant as Splat Labs adds AI features — AI Scene Redesign, automated processing, and AI-driven 3D analysis. Any AI processing of EU-hosted data stays within EU infrastructure.
EU Cloud Sovereignty Framework (Published October 2025)
The European Commission defined eight sovereignty objectives for EU institutions procuring cloud services:
- Parties must agree on service and data-processing locations upfront, with prior notice required for any change — creating de facto localization requirements
- Non-European cloud use by EU institutions has sparked sovereignty debates, with concerns about foreign interference running particularly high in the public sector
- Despite additional safeguards, non-European providers can still perform services, but under increasingly strict conditions
European Health Data Space (EHDS)
Regulation (EU) 2025/327 allows EU member states to require that health data be stored and processed exclusively within the EU. Relevant for Splat Labs customers using 3D scanning in healthcare facility management, hospital renovation, or health infrastructure projects.
The CLOUD Act — The Elephant in the Room
This deserves its own section because it is the single most frequently cited reason EU organizations are moving data to EU-controlled infrastructure.
What the CLOUD Act Does
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in 2018, allows US law enforcement to compel any company under US jurisdiction to provide data in its possession, custody, or control — regardless of where that data is physically stored. If data sits on AWS Frankfurt servers but the provider is a US-headquartered company, the CLOUD Act can still apply.
The Conflict with GDPR
GDPR Article 48 states that foreign court judgments requiring data transfer are only recognized if based on an international agreement (like a Mutual Legal Assistance Treaty). The CLOUD Act bypasses this mechanism, creating a direct conflict between US and EU law.
This is not theoretical. In September 2025, an Ontario Court of Justice ruled that French cloud provider OVH's Canadian subsidiary must hand over data stored by its group entities outside Canada, even though OVH argued this would breach French law. Extraterritorial data demands are being actively enforced.
What This Means for Splat Labs Customers
AWS is a US-headquartered company, and this is a legitimate concern. However, data stored in eu-central-1 (Frankfurt) benefits from multiple layers of protection:
- AWS's GDPR-compliant Data Processing Agreement with specific commitments about data handling
- AWS Nitro System — hardware-enforced security boundary that prevents anyone, including AWS employees, from accessing customer data
- Customer-managed encryption keys via AWS KMS — even if compelled, encrypted data cannot be decrypted without the customer's key
- AWS's Digital Sovereignty Pledge — commitment that customer data will not be accessed
- Germany's C5 attestation (BSI Cloud Computing Compliance Criteria Catalogue) — the strictest cloud security standard in Europe
For the most sensitive use cases, customer-managed encryption keys provide the strongest safeguard: the data is physically in the EU, encrypted with a key only the customer controls, and the cloud provider cannot decrypt it even under compulsion.
The bottom line: Storing data in the EU on AWS Frankfurt is a massive step forward versus storing it in the US. For organizations requiring the highest level of sovereignty, layering customer-managed encryption on top of EU storage provides defense-in-depth against extraterritorial access. And for customers who need a fully EU-controlled stack, AWS's European Sovereign Cloud — operated exclusively by EU residents within EU corporate structures — is available as an additional option.
Why Geospatial Data Gets Special Attention in the EU
Infrastructure as Critical Data
EU member states classify infrastructure data with varying levels of sensitivity, and much of it falls squarely within NIS2's essential entity provisions:
- Critical infrastructure mapping — power plants, water treatment facilities, telecom networks, and transport hubs are covered by NIS2's essential entity category
- Government facilities — 3D scans of EU government buildings, military installations, and diplomatic facilities are treated as sensitive by member state security frameworks
- Transport infrastructure — highway, rail, bridge, and tunnel scans captured under BIM mandates contain vulnerability data; the EU's transport sector is explicitly covered by NIS2
- Utility networks — energy infrastructure is the first sector listed in NIS2's essential entity category
- Urban environments — as EU cities build digital twins (Barcelona, Helsinki, Vienna, Munich, Amsterdam), detailed 3D models of urban infrastructure become increasingly sensitive
The INSPIRE Directive and EU Geospatial Governance
The EU has a long-standing framework for geospatial data through the INSPIRE Directive (2007/2/EC), which established an EU spatial data infrastructure for environmental policy. INSPIRE requires EU member states to share spatial data sets across borders using common standards — but the data itself remains within member state control. The EU treats geospatial data as a governance asset with specific sovereignty implications.
The 97% Problem
An estimated 97% of Europe's cloud infrastructure market is dominated by non-European providers — primarily US hyperscalers. This statistic has become a rallying point for EU policymakers and is driving the sovereign cloud movement. For organizations handling sensitive geospatial data — construction firms working on government infrastructure, utilities mapping critical networks, surveyors documenting public works — the question of who controls the underlying cloud infrastructure is increasingly scrutinized in procurement decisions.
This is the gap Splat Labs addresses: enterprise-grade 3D data hosting on cloud infrastructure that is physically located in the EU, encrypted with region-bound keys, and compliant with the full regulatory stack.
AWS Infrastructure in Europe
Splat Labs' EU data localization is built on AWS Frankfurt — Europe's most established cloud region, located in the continent's primary financial and internet exchange hub.
Splat Labs Primary EU Region: Frankfurt (eu-central-1)
- Location: Frankfurt metropolitan area, state of Hesse, Germany
- Availability Zones: 3 for high availability and redundancy
- Why Frankfurt: Germany has the strongest data protection tradition in Europe, predating GDPR by decades. Frankfurt is home to DE-CIX, the world's largest internet exchange by peak traffic, and serves as Europe's primary financial center.
- Investment: AWS has invested €7.8 billion in its European Sovereign Cloud, with the first region in Brandenburg, Germany — complementing the existing Frankfurt infrastructure
Additional EU Regions Available
Splat Labs Enterprise customers can select any EU AWS region based on their specific compliance or latency requirements:
| Region Code | Location | Primary Use Case |
|---|---|---|
eu-central-1 | Frankfurt, Germany | Default for EU customers — strongest data protection, financial hub |
eu-west-1 | Ireland | High availability, established infrastructure |
eu-west-2 | London, UK | UK data residency (EU adequacy decision in place) |
eu-west-3 | Paris, France | French market, CNIL compliance |
eu-north-1 | Stockholm, Sweden | Nordic market, renewable energy powered |
eu-south-1 | Milan, Italy | Southern European market, Italian BIM mandate |
eu-south-2 | Spain | Iberian market, growing BIM adoption |
eu-central-2 | Zurich, Switzerland | Swiss market (EU adequacy decision in place) |
eusc-de-east-1 | Brandenburg, Germany | AWS European Sovereign Cloud — EU-only operation |
The AWS European Sovereign Cloud
AWS launched its European Sovereign Cloud in Brandenburg, Germany in December 2025 (eusc-de-east-1). This is not just another region — it is a completely separate, independent infrastructure:
- Operated exclusively by EU residents located in the EU
- Strict residency for customer data and all customer-created metadata
- Independent EU corporate structures
- Dedicated EU trust and certificate services
- Incident response operated entirely within the EU
- Named as a Leader in the ISG Provider Lens Quadrant for Sovereign Cloud Infrastructure Services (EU) for three consecutive years
For Splat Labs Enterprise customers requiring the highest level of EU sovereignty, the European Sovereign Cloud is available as a deployment option.
AWS GDPR Compliance Features Splat Labs Leverages
- GDPR-compliant Data Processing Agreement (DPA) for all customers
- AWS Nitro System — hardware-enforced security boundary; nobody, including AWS employees, can access customer data
- S3 Server-Side Encryption — AES-256 encryption at rest by default
- AWS KMS — customer-managed encryption keys that never leave the selected region
- AWS Control Tower — preventative, detective, and proactive controls for data residency
- VPC Endpoints for S3 — data access without traversing the public internet
- AWS CloudTrail — full API activity audit logging
- S3 Object Lock — immutable storage for compliance retention
- ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 certifications
- C5 attestation — German BSI Cloud Computing Compliance Criteria Catalogue
Data at Rest and Data in Motion — Both Stay in the EU
Full data localization means addressing both states of data. Many platforms claim "data residency" but only control where files are stored — not where they are processed, cached, or transmitted through. Splat Labs controls both.
Data at Rest
All 3D assets — Gaussian Splats, point clouds, textures, metadata, annotations, attached documents (PDFs, images, videos), and user-generated content — are stored in AWS S3 buckets within eu-central-1 (Frankfurt). Every object is encrypted at rest with AES-256 server-side encryption. AWS KMS encryption keys are region-bound and never leave the EU.
Optional customer-managed encryption keys via AWS KMS provide an additional layer of control: even if a foreign authority compels access to encrypted data, it cannot be decrypted without the customer's key.
Data in Motion
All uploads, downloads, streaming, viewer access, and inter-service communication transit through AWS EU infrastructure, encrypted with TLS 1.2+. Processing workloads — Gaussian Splat optimization, thumbnail generation, annotation indexing — execute within the EU region. No data leaves the EU for processing, conversion, or optimization.
When a user in Berlin views a Gaussian Splat, the data streams from AWS Frankfurt directly to their browser over TLS. No intermediate hops through US data centers. No temporary caching in non-EU CDN nodes. The transit path stays within European network infrastructure.
Why Both States Matter for GDPR
GDPR's cross-border transfer restrictions apply to any movement of personal data outside the EEA — including temporary processing, caching, or routing. A platform that stores data in Frankfurt but processes it in Virginia has not achieved data localization. A platform that stores and processes in the EU but routes viewer traffic through US CDN nodes has a compliance gap.
Splat Labs closes both gaps. Storage, processing, and delivery all operate within the EU.
Competitive Landscape in Europe
Most competing platforms in the 3D geospatial space do not explicitly offer EU-specific regional storage as a featured capability:
| Platform | 3D/Splat Focus | EU Data Localization | Notes |
|---|---|---|---|
| Cintoo | Point cloud management | European HQ (France) | Advantage of EU headquarters, but federated regional storage not a marketed feature |
| Trimble Connect | BIM collaboration | Not prominently featured | US-headquartered; 30M+ users but data sovereignty controls not marketed |
| Autodesk Construction Cloud | BIM/construction | Some EU options for enterprise | US-headquartered; EU data center options exist for enterprise contracts but not self-service |
| Euclideon udCloud | Unlimited Detail rendering | Not prominently marketed | Australian-headquartered; uses Microsoft Azure |
| Esri ArcGIS | GIS-focused, not Gaussian Splat | Partial (Azure EU available) | Dominant GIS platform but not purpose-built for photorealistic 3D |
| Splat Labs | Purpose-built for Gaussian Splats and 3D models | Full — data at rest and in transit | Only platform combining Gaussian Splat hosting + full EU data localization + enterprise security |
Splat Labs fills a specific gap: the only platform purpose-built for Gaussian Splat 3D models that offers complete data localization in the EU — all data at rest and in transit stays within European borders, hosted on AWS Frankfurt, with AES-256 encryption, TLS protection, and optional customer-managed keys.
Key Statistics Quick Reference
| Fact | Detail |
|---|---|
| Splat Labs EU region | AWS Frankfurt (eu-central-1) |
| Data at rest encryption | AES-256 with region-bound KMS keys |
| Data in transit encryption | TLS 1.2+ |
| Cross-border data transfer | None — all storage, processing, and delivery within the EU |
| Maximum GDPR fine | €20 million or 4% of global annual turnover |
| Largest GDPR fine on record | €1.2 billion (Meta, 2023 — cross-border transfer) |
| EU cloud market from non-EU providers | 97% |
| AWS European Sovereign Cloud investment | €7.8 billion |
| EU BIM market (2025) | $2.44 billion |
| EU BIM market (2030 projected) | $3.78 billion |
| EU construction employment | 18 million people |
| EU construction share of GDP | ~9% |
| NIS2 transposition status | 14 of 27 member states (mid-2025) |
| GDPR breach notification deadline | 72 hours |
| EU AI Act max penalty | 7% of global annual turnover |
| Cloud switching charges eliminated | January 2027 (EU Data Act) |
Who This Is For
Splat Labs EU is built for organizations that:
- Operate under GDPR and need to eliminate cross-border data transfer friction and legal risk
- Work on European government infrastructure projects subject to national BIM mandates and NIS2 requirements
- Handle 3D scans of critical infrastructure — energy, transport, telecommunications, water — where data sovereignty is a procurement condition
- Serve financial sector clients subject to DORA requirements for ICT provider due diligence
- Need CLOUD Act mitigation — EU storage with customer-managed encryption keys provides defense-in-depth
- Build or contribute to digital twins of European cities and infrastructure, where detailed 3D models carry increasing sensitivity
- Require audit trails and compliance documentation for GDPR accountability (Article 5(2))
If your team is scanning construction sites in Munich, mapping utility networks in Paris, documenting government buildings in Rome, or capturing bridge inspections in Stockholm — your 3D data should stay in the EU. Now it does.
Get Started
Splat Labs offers plans for teams of every size. Create a free account to explore the platform with two projects. For Enterprise pricing with full EU data localization, contact our sales team.
