The German GmbH That Belongs to Delaware

A short lesson in reading the fine print of "European" AI.

It started with a shareholders' list

A "European" AI vendor had been making the rounds on LinkedIn. German company, German branding, the kind of EU-friendly positioning that lands well right now. So we pulled the one document that doesn't do marketing: the shareholders' list from the commercial register.

It took about thirty seconds to read. Langdock GmbH, seat in Berlin. One shareholder. Langdock Inc., registered in Delaware, United States. Participation: 100%.

Source: shareholders' list, Handelsregister.

The German company is real. It pays German taxes, files with a German court, employs people in Germany. But it owns nothing of itself. Every share sits with a US corporation, and that corporation, sitting in Delaware, is squarely under US law. The GmbH is the storefront. The owner is in Delaware.

This is not an accusation of wrongdoing. The structure is completely legal and extremely common. That is exactly the problem. A label that says "German company" tells you where the paperwork is filed. It tells you almost nothing about who is ultimately in control, or whose laws apply when a government comes asking.

We have seen this movie before

If the pattern feels familiar, it should. The biggest cloud providers have spent two years building elaborate versions of the same thing.

Take the AWS European Sovereign Cloud, which went live in January 2026. On paper it looks like the gold standard for sovereignty: infrastructure entirely inside the EU, operated by EU residents, managed through dedicated German legal entities with EU-citizen managing directors and an advisory board. Amazon invested billions to make it convincing.

And yet. As security analysts pointed out within days of launch, the European company is still 100% owned by a US-based Amazon company, and there is no way around that as long as ultimate control lies outside the EU. The US CLOUD Act does not care where the servers are. Under the CLOUD Act, US authorities can compel access to information held by American cloud providers regardless of where in the world that data is housed.

A fair point here, and one worth stating plainly: US ownership does not automatically pull a German subsidiary under US law. The CLOUD Act turns on a test called "possession, custody, or control," meaning whether the US entity can actually reach the data, legally or in practice. A US parent on its own is not an automatic switch, and the German company has not said publicly whether its US parent can compel access. So this is about risk and exposure, not a guaranteed data tap.

But the risk is real, and the structure points the wrong way. Courts have frequently found that a parent has the legal right or practical ability to make a subsidiary hand over data, and where control is close to total, production is the likely outcome. A 100% parent that also appoints the management sits squarely in the zone where courts tend to say yes. The German entity in the middle does not break that chain. It just makes it harder to see.

The broader pattern keeps producing the same conclusion: ownership shapes exposure in a way architecture cannot fully undo. Technical isolation helps, EU hosting helps, but if the control chain runs to a US parent, the question is never fully closed. You cannot engineer your way out of who owns you.

Why this matters more for AI than for storage

With a cloud bucket, the sovereignty question is mostly about data: where it sits, who can be compelled to hand it over. With AI inference, the surface is larger.

When you send a prompt to a model, you are often sending the most sensitive thing your company has: unreleased code, legal strategy, customer records, internal financials, the contents of a deal before it is announced. That payload runs through whoever operates the inference. If the operator, or its parent, or anyone in its corporate chain sits under foreign jurisdiction, then your prompts sit there too.

AI adds a second layer that storage does not have: the model itself. A closed model from a US provider can be changed, throttled, restricted, or switched off entirely by decisions made outside Europe, for reasons that have nothing to do with you. We saw a version of this recently when access to a frontier model was suspended for European customers on the basis of a US government directive. If your product depends on a model you neither own nor can replace, your roadmap is somebody else's lever.

So "sovereign AI" has to clear a higher bar than "sovereign storage." It is not enough that the data stays in Europe. Control over the data, the infrastructure, and the model all have to stay in Europe too.

How to actually check

The good news: you do not need to be a lawyer to spot the gap. You need to ask better questions than the marketing invites. A few that cut through quickly.

Who owns the company? Not where it is registered, who holds the shares. Pull the shareholders' list from the commercial register. If the parent is in Delaware, you have your answer, no matter how German the website looks. This is public information and it takes minutes.

Whose law reaches the data? A provider can run every server in Frankfurt and still be compelled by a foreign court if its corporate chain leads abroad. Ask specifically: is any entity in your ownership structure subject to the US CLOUD Act, FISA, or equivalent? "Our data centers are in the EU" is not an answer to that question.

Who runs the infrastructure underneath? Many "European" AI products are a thin layer on top of US hyperscaler compute. EU branding on the front end, AWS or Azure on the back end. Ask what the inference actually runs on.

Can the model be taken away? If the product depends on a closed model licensed from abroad, that dependency is a single point of failure outside your control. Open-weight models you can host yourself do not have that problem.

What happens to your inputs? Are prompts and outputs retained, logged, used for training? A real sovereignty story usually comes with a zero-retention commitment in writing, not a privacy page that says "we care about your data."

Sovereignty is a structure, not a sticker

None of this means US providers are villains, or that every company with a foreign parent is hiding something. It means the word "European" has been doing a lot of unearned work lately, and the gap between the label and the legal reality is where the risk lives.

The fix is not outrage. It is literacy. Read the shareholders' list. Trace the ownership. Ask whose courts can reach the data and whether the model can be pulled out from under you. The answers are usually a few minutes of digging away, and they tell you far more than any flag in a logo.

A company can wave the EU flag all it wants. Sovereignty is not something you display. It is something you can prove, all the way up the ownership chain.