Anyone processing sensitive data in European companies or public authorities usually looks at one specific line in the data sheet first: Server location: Europe. For years, this was considered the golden ticket for GDPR compliance.
However, since spring 2026, this ticket has effectively expired for many users of Microsoft-based services. Quietly and without much fanfare, Microsoft enabled a feature called “Flex Routing“ by default. The consequence: Despite your European server location, your data is now highly likely to be routed to the US for processing.
For organizations that rely on maximum data sovereignty, this changes the game entirely—and it affects far more tools than you might think at first glance.
Table of Contents
ToggleWhat is Flex Routing and How Does It Work?
Under the term Flex Routing (sometimes referred to as Flexible Inferencing), Microsoft manages a dynamic workload system for its AI models. When European data centers experience high traffic during peak hours, AI requests are automatically rerouted to regions where capacity is available—primarily the US, Canada, or Australia.
The core problem lies within the technical details of this processing:
-
Inference Phase Affected: Rerouting to the US does not happen with anonymized data snippets. It occurs during the critical inference phase. At this point, the request has already gone through internal data enrichment via Retrieval-Augmented Generation (RAG).
-
The Data Packet: This means it is not just an isolated prompt moving across the Atlantic. The entire packet is transferred—including linked internal emails, documents, metadata, and system prompts.
-
Aggressive Opt-out: Flex Routing was enabled by default for new tenants. Any organization that strictly needs to keep its data within Europe must have an administrator actively object and change deep-seated configurations in both the Microsoft 365 Admin Center and the Power Platform Admin Center.
The situation is further complicated by the fact that Microsoft has integrated third-party providers like Anthropic (Claude) as subprocessors, which, according to official documentation, operate entirely outside the EU Data Boundary anyway.
The Domino Effect: Why Your AI Meeting Assistants Are Also Affected
If you are now thinking, “No problem, we just won’t use Microsoft Copilot,” you are missing the bigger picture. The modern IT landscape is deeply interconnected via APIs. Many specialized tools on the market do not build their core AI technology from scratch; instead, they rely on the backend infrastructure of major US hyperscalers.
This is particularly true for the AI meeting assistant and transcription tool segment. Many well-known market players—such as SpeechMind or Sally—rely heavily on Microsoft Azure’s cloud infrastructure for their core features, like automated speech-to-text.
The Regulatory Risk: If a tool processes speech recognition via Microsoft Azure, and Microsoft dynamically distributes server workloads via Flex Routing in the background, your confidential meeting minutes, board meetings, or client calls get pulled right into the undertow of US data transfers. From the perspective of regulations like NIS2 or DORA, this creates an uncalculable third-party risk in your supply chain.
The Solution: True Digital Sovereignty with Tucan.ai
This development was unfortunately only a matter of time. It proves that US tech promises will change, depending on the current administration. We have always believed that if you truly want to protect your customers’ data, you cannot make yourself dependent on the configuration toggles and capacity shortages of American tech giants.
That is why Tucan.ai’s architecture is fundamentally different from the rest of the market:
1. In-House, Proprietary Speech Recognition
Tucan.ai does not rely on Microsoft Azure, Google, or AWS to convert speech into text. We use our own proprietary speech recognition engine, developed entirely from scratch by our team in Germany. Your audio data is processed directly within our secure environment—without any detours through third-party APIs.
2. 100% German Hosting – Immune to the US CLOUD Act
The entire Tucan.ai platform is hosted on the servers of Hetzner Online GmbH in Nuremberg, Germany. As a purely German company, Tucan.ai is completely immune to the US CLOUD Act, unlike US-based cloud providers. Government agencies, law firms, and KRITIS (critical infrastructure) companies enjoy absolute legal certainty and full protection against unauthorized data access from third countries.
3. Full Flexibility via On-Premise Deployment
While most tools on the market are pure SaaS (Software-as-a-Service) cloud solutions, we take it a step further. For organizations with the highest security clearance, we offer a full On-Premise installation. The entire AI infrastructure then runs autarkically within your own data center. It simply does not get any more secure than this.
Conclusion: Time to Rethink AI Procurement
The rollout of Flex Routing is a painful reminder that the promise of a “European server location” from US providers is often just a snapshot in time. A single entry in a cloud provider’s message center is enough to wipe out established compliance assurances overnight.
If you want to guarantee that your organization’s spoken and written content stays strictly where it belongs, you must invest in technological independence.
Want to put your meeting minutes and transcripts on a legally secure foundation?