Cloud Horizon AI / Use cases

The LLM API for regulated EU teams.

Healthcare, financial services, public sector. EU-only inference, Dutch processor, no US parent in the chain. Built for compliance leads who get the second call after legal says no to OpenAI.

Join the waitlist Read the docs

Six workflows your privacy office can sign off on

The bottlenecks specific to regulated work. Each one needs an LLM that does not leak inputs, does not phone home, and does not need a Schrems II carve-out.

PHI-safe clinical summaries

Pain
Your clinical team wants discharge summaries drafted from notes. The hospital privacy office will not let unstructured patient text leave the data centre, never mind cross the Atlantic.

Fix
Inference in Amsterdam under a Dutch DPA, no training on inputs, audit log per request. Pseudonymise on the way in, the model never sees direct identifiers, you put names back at render time.

Discharge lettersReferral summariesCoding hint generation

KYC adverse-media triage

Pain
The compliance team reads hundreds of articles per onboarding case. Most are noise. The handful that matter get buried.

Fix
Stream every article through a classifier prompt with your risk taxonomy. Model returns a relevance score, a category, and a one-paragraph summary. Analysts see a pre-ranked queue.

Sanctions and PEP screeningAML predicate offencesReputational risk categories

Public-sector tender drafting

Pain
Drafting an answer to a 200-page TenderNed RFI is two weeks of senior bid manager time. Most of it is plumbing, the actual win-themes are five pages.

Fix
Long-context model ingests the RFI, your past wins, and your capability statements. Returns a section-by-section first draft you edit down. The bid manager spends time on win-themes, not on copying boilerplate.

TenderNed (NL), BOAMP (FR)OJEU noticesPast performance reuse

Audit evidence drafting

Pain
External auditor asks for 80 pieces of evidence. Half are screenshots and policy excerpts you have written ten times before.

Fix
Model drafts the narrative paragraphs from your policies and recent change records. You attach the screenshots, sign off, ship to the auditor. Halves the prep cycle.

SOC 2 control narrativesISO 27001 SoA entriesBSI C5 evidence statements

Regulatory change monitoring

Pain
EU AI Act, DORA, NIS2, MiCA, the new omnibus simplification package. Your compliance lead reads everything and forgets half of it.

Fix
Daily ingest of EUR-Lex, ESMA, EBA, AFM and BaFin feeds. Embeddings index against your control library. Diff drops into a digest with the affected controls flagged.

EUR-Lex daily deltaNational regulator feedsCross-mapped to your controls

Patient or citizen self-service triage

Pain
Public services and patient portals get the same fifteen questions every day. Phone lines back up, email queues grow, the front-line team burns out.

Fix
Citizen-facing chat over your published policy and FAQ pages. Hard-coded refusals on anything that needs human judgement, escalation to a person on the rest. EU residency, Dutch DPA, GDPR DPIA template included.

Municipality portalsPatient appointment FAQsTax authority self-service

Compliance posture, framework by framework

Where we sit today, what is on the roadmap, what your auditor will ask for. Architected for these frameworks. Certification claims are in our docs, not on this page.

Framework	Region	Posture today	Notes
GDPR	EU/EEA	EU-only inference, Dutch processor, signed DPA	Article 28 processor agreement on team plans
Schrems II	EU	No US parent, no Cloud Act exposure	Spot Cloud B.V. is Dutch, no transfer to third countries
BSI C5	DE	Frankfurt inference region, type 2 controls in scope	Evidence pack on enterprise plan
ISO 27001	Global	Architected against Annex A controls	Statement of Applicability mappable per workload
EU AI Act	EU	Article 50 transparency notices, no prohibited use cases	Risk-tier classification helper in the docs
DORA	EU FS	Subcontractor register, exit plan, ICT risk reporting	Critical-third-party register entry available
NIS2	EU	Incident reporting hooks, supply-chain register	Designed for essential and important entities
HDS	FR	Health data hosting roadmap, AWS Frankfurt today	HDS-certified region in 2027 H1

Per-request controls your auditor will love

Region pinning, audit tagging, PII redaction, retention overrides. Set them in the request header or body, every call carries its own policy.

# KYC adverse-media classification, PII redaction on by default
curl https://api.cloudhorizons.ai/v1/chat/completions \
  -H "Authorization: Bearer $CLOUD_HORIZONS_KEY" \
  -H "Content-Type: application/json" \
  -H "Cloud-Horizons-Region: eu-ams-1" \
  -H "Cloud-Horizons-Audit-Tag: kyc-case-784512" \
  -d '{
    "model": "glm-4.6",
    "messages": [
      {"role": "system", "content": "Classify the article against the risk taxonomy. Return JSON: {category, severity, summary, source_quality}."},
      {"role": "user", "content": "<article body>"}
    ],
    "redact_pii": true,
    "log_retention": "30d",
    "response_format": {"type": "json_object"}
  }'

Region pinning

Force a request to stay in Amsterdam or Frankfurt. 422 if the model is not available in that region.

Audit tag

Free-text label per request, surfaces in the audit log. Match to your case ID, your patient pseudonym, your bid number.

PII redaction

Inline redaction before the model sees the prompt. Names, emails, IBANs, BSN, NHS numbers, IP addresses.

Retention overrides

Default 30 days for prompt and response logs. Set log_retention: "0d" for zero retention on sensitive workloads.

Why regulated buyers pick us

A Dutch processor your DPO has heard of

Operated by Spot Cloud B.V. (KvK 89708873), a Dutch company under Dutch law. Standard EU Data Processing Agreement on team plans, no Cloud Act exposure, no parent in the United States. Inference in Amsterdam and Frankfurt, your data leaves the EU only if you explicitly opt in.

Join the waitlist