Blog — sota.io

2026-05-05·13 min read·

AWS Q Developer is Amazon's AI-powered code assistant: inline completions, natural language code generation, security vulnerability scanning, and a conversational coding agent that can read your entire repository. For EU developers, it is also a channel that continuously routes your proprietary source code to US-jurisdiction infrastructure permanently subject to the CLOUD Act. This guide maps exactly where EU developer data lands inside Q Developer's architecture, why source code creates a uniquely acute CLOUD Act exposure (worse than most AWS services), and how EU AI Act deployer obligations apply to every engineering team using an AI code assistant in 2026. ## What AWS Q Developer Actually Sends to AWS AWS Q Developer operates in two modes: inline suggestions (triggered by keystrokes) and agentic mode (reads your repository, runs multi-step tasks). Both modes transmit data to AWS. **Inline mode transmits:** - Your current file content (the "context window" — typically 2,000–8,000 tokens of surrounding code) - Adjacent files in the same project that the IDE plugin deems relevant - Import statements, function signatures, and class definitions from your codebase - Comments and docstrings, including any that contain PII, credentials, or business logic descriptions **Agentic mode ("/dev" and "/transform" features) transmits:** - Your entire repository or project structure (file tree + content) - Build configurations, dependency manifests, and CI/CD pipeline files - Test suites including test fixtures that may contain real-looking sample data - Environment variable references (names, not values — but names reveal structure) - Git history context for transformation tasks Every transmission goes to AWS infrastructure in the region your AWS account targets. Even if you have configured `us-east-1` and your data "never leaves the US," the operative legal fact for GDPR is that AWS Inc. (a US company) processes your data, and that processing is subject to CLOUD Act compelled disclosure regardless of which AWS region you use. ## Six GDPR Exposure Points ### 1. Article 28 — Data Processing Agreement That Cannot Override the CLOUD Act AWS offers a GDPR-compliant Data Processing Addendum (DPA) and a Business Associate Agreement for healthcare data. These documents satisfy the formal Art.28 requirement: you have a written agreement with your processor defining purposes, security measures, and sub-processor lists. What the AWS DPA cannot do is override US federal law. Under 18 U.S.C. § 2703 (the CLOUD Act), the US Department of Justice can compel AWS to produce data held anywhere in its infrastructure, including data you thought was covered by a DPA and SCCs. AWS can and has challenged such requests, but it cannot guarantee that challenge will succeed, and it cannot notify you before complying with a gag-ordered production order. For source code specifically, this creates an exposure profile different from most data categories. A CLOUD Act production order for user PII affects user data. A production order for proprietary source code affects your core IP, your business logic, your competitive advantage, and potentially source code containing credentials or security-sensitive implementation details. ### 2. Article 25 — Privacy by Design and PII Embedded in Code Art.25 requires that technical systems be designed to process minimum necessary personal data by default. AWS Q Developer is not designed around this principle. Developers routinely embed personal data in source code: - Hardcoded example values in tests (`user.email = "alice@example.com"`, realistic employee ID formats) - PII in SQL query examples and ORM model comments - GDPR-relevant field names and their handling logic described in inline comments - Customer data structures with enough context to infer real data patterns Q Developer processes all of this without a filtering or anonymization step. Your IDE plugin does not scrub your context window before transmission. The "minimum necessary" principle is structurally violated for any codebase that follows common development practices. ### 3. Article 5(1)(b) — Purpose Limitation and Training Data AWS Q Developer's data handling changed between CodeWhisperer (Q Developer's predecessor) and the current Q Developer product. Under the default "Individual" plan (free tier), AWS's documentation has historically stated that code snippets "may be used to improve the model." Under paid "Pro" plans and Enterprise configurations, AWS offers a "content policy" opt-out. The purpose limitation problem is this: when a developer uses Q Developer to get a code suggestion, the purpose of the processing they consented to (getting a code suggestion) is different from the purpose of model improvement (training a commercial product on their IP). If your developers are using individual Q Developer accounts — common during evaluation periods before IT procurement formalizes the tool — you may have no opt-out in place. For EU developers, Art.5(1)(b) requires that personal data not be processed for purposes incompatible with the collection purpose. Source code containing PII being used to train an AI model is, on its face, an incompatible purpose unless explicitly consented to. ### 4. Article 32 — Security of Processing and Source Code as High-Value Target Art.32 requires "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. The risk calculus for source code is different from other data categories. Source code is a uniquely high-value target: - Contains hardcoded credentials, API keys, and infrastructure layout (even if "accidentally") - Reveals authentication logic, encryption implementations, and access control models - In regulated industries, reveals how compliance controls are implemented — and potentially how to bypass them - Contains proprietary algorithms and business logic that represent competitive advantage When you transmit source code to AWS, you are transmitting it over the internet to shared infrastructure. AWS encrypts data in transit and at rest. But "appropriate" security under Art.32 is not just about encryption — it is about minimising the attack surface. Source code that stays on EU infrastructure in your own environment is not in AWS's shared infrastructure, is not on servers subject to US legal process, and is not transmitted over the internet to a third-party processing service. ### 5. Article 5(1)(e) — Storage Limitation and Code Context Retention How long does AWS retain the code context it receives from Q Developer transmissions? AWS's documentation distinguishes between "request data" (not retained after the response, per current policy) and "service improvement data" (retained under the training data terms above). For EU developers, this is not a clear answer. The policy can change. The opt-out status can be misconfigured. And for Enterprise customers using the agentic features that read repositories, the retention timeline for multi-step task context is less clearly defined than for simple inline completions. Art.5(1)(e) requires that personal data not be kept longer than necessary. Without transparent, contractually binding retention commitments, EU developers cannot document their GDPR storage limitation compliance for source code transmitted through Q Developer. ### 6. Article 29 (EU AI Act) — Deployer Obligations for AI-Assisted Development Under the EU AI Act (applying from August 2026 for GPAI obligations), every organisation that deploys a GPAI model in a professional context is a "deployer" with obligations under Art.29. AWS Q Developer uses foundation models (Amazon's in-house models and, for some features, third-party foundation models via Bedrock) that qualify as GPAI models. As a deployer, your engineering team is obligated to: - Inform individual developers (as affected natural persons) that they are working with AI-generated output - Ensure that developers can exercise meaningful oversight over AI suggestions - Document the AI system in use and its capabilities in your organisational AI inventory - Apply appropriate human oversight before AI-generated code enters production This is not optional for EU companies with more than 50 employees after August 2026. It applies to code assistants the same as it applies to customer-facing AI features. ## The Training Data Opt-Out Problem in Practice EU companies evaluating Q Developer consistently encounter the same sequence: 1. Developers start using Q Developer's free individual tier for evaluation 2. IT/procurement is not involved; no enterprise opt-out is in place 3. Code transmitted during evaluation period may be subject to model training terms 4. When the company formalises Q Developer with an Enterprise plan and opt-out, the code transmitted during evaluation has already been processed under the original terms There is no retroactive opt-out. Once data has been processed for model improvement, it cannot be un-processed. For EU companies handling source code that contains any personal data, the correct approach is to verify opt-out configuration before any developer begins using the tool — not after evaluation. ## EU Alternatives to AWS Q Developer | Tool | Hosting | CLOUD Act Exposure | Self-Hosted Option | EU Data | |------|---------|-------------------|-------------------|---------| | **Continue.dev + Ollama** | Self-hosted | None | Yes (fully local) | ✅ Yes | | **Tabnine** | Cloud or self-hosted | US parent (cloud), None (on-prem) | Yes (Enterprise) | ⚠️ Cloud: No | | **JetBrains AI (local models)** | IDE local | None when local | Via Ollama | ✅ Yes | | **Codeium / Windsurf** | Cloud | US parent | Enterprise only | ⚠️ Cloud: No | | **Mistral API + Continue.dev** | EU cloud (Mistral) | None (EU jurisdiction) | Via Continue.dev | ✅ Yes | | **AWS Q Developer (Pro)** | AWS cloud | CLOUD Act | No | ❌ No | ### Continue.dev with Ollama (Recommended for EU Data Sovereignty) [Continue.dev](https://continue.dev) is an open-source IDE extension (VS Code, JetBrains) that can connect to any LLM endpoint. Combined with [Ollama](https://ollama.com) running local models on your developer machines, it creates a fully air-gapped code assistant: no data leaves the developer's laptop. Setup: 1. Install Ollama locally: `curl -fsSL https://ollama.com/install.sh | sh` 2. Pull a code-optimised model: `ollama pull deepseek-coder-v2:16b` (16B parameters, strong code completion) 3. Install Continue.dev VS Code extension 4. Configure Continue.dev to point to `http://localhost:11434` (Ollama default) For teams that want a shared model endpoint without running each developer's own GPU: 1. Deploy Ollama on a Hetzner or Scaleway server (EU jurisdiction) 2. Use Continue.dev's "remote" configuration to point all developer IDEs at the shared endpoint 3. All code context stays within your EU infrastructure, zero CLOUD Act exposure On [sota.io](https://sota.io), you can deploy an Ollama instance as a container: - EU-resident infrastructure only - €9/month flat pricing with 2GB RAM (sufficient for quantised 7B models) - DPA available, EU-jurisdiction data processing ### Mistral API via Continue.dev (Cloud with EU Jurisdiction) If local inference is impractical (insufficient RAM on developer machines), Mistral AI operates entirely in EU jurisdiction (Paris-based company, servers in EU). Mistral's `codestral` model is specifically optimised for code completion and is competitive with Q Developer for common tasks. Configure Continue.dev to use `https://api.mistral.ai` as the endpoint with your Mistral API key. All processing happens in Mistral's EU infrastructure. ### Tabnine Enterprise (On-Premises) Tabnine offers fully on-premises deployment for Enterprise customers. The on-premises variant downloads the model to your infrastructure and runs inference locally — no code leaves your environment. This satisfies both CLOUD Act and GDPR storage limitation requirements. Note: Tabnine's cloud product routes data through their US-adjacent infrastructure. Only the self-hosted Enterprise option eliminates the CLOUD Act exposure. ## Risk Comparison: Q Developer vs EU Alternatives | Risk Category | AWS Q Developer | Continue.dev + Ollama | Mistral API | |--------------|----------------|----------------------|-------------| | CLOUD Act exposure | High (US parent) | None (local) | None (EU parent) | | Source code transmitted off-device | Yes (every keystroke) | No | Yes (EU servers) | | Training data opt-out required | Yes (Enterprise only) | N/A | EU terms apply | | Art.28 DPA | Available | N/A | Available | | Art.29 deployer obligations | Yes | Yes | Yes | | Agentic mode GDPR complexity | Very high | Low | Moderate | | Deployment complexity | Low | Medium | Low | ## What to Do if Your Team Already Uses Q Developer 1. **Immediately verify plan type:** Free/Individual plans have different data handling than Pro/Enterprise. Login to AWS console → Q Developer → Settings → check content policy configuration. 2. **Document the gap:** Record which developers used Q Developer before opt-out was in place, for what period, and on which codebases. This is your Art.30 processing activity documentation. 3. **Conduct a DPIA if processing was significant:** If the codebase transmitted through Q Developer contained substantial personal data (customer data models, healthcare record handling, financial processing logic), conduct a Data Protection Impact Assessment per Art.35 for the historical processing. 4. **Transition plan:** Set a migration deadline for moving to an EU-native alternative. The longer you delay, the more code context has been transmitted under terms you cannot retrospectively change. ## What sota.io Offers for EU AI-Assisted Development Infrastructure If you want to host your own AI code assistant infrastructure in EU jurisdiction, [sota.io](https://sota.io) provides: - Deploy Ollama + Continue.dev backend as a standard container - EU-resident infrastructure only — no US data centers in the processing path - €9/month flat pricing with 2GB RAM - Standard Docker deployment — your model selection, your context window policies, your retention controls - DPA available, EU-jurisdiction data processing Your developers get AI code assistance. Your source code stays in EU infrastructure. Your legal team gets a clean compliance story. ## Summary AWS Q Developer provides genuinely useful AI-assisted development capabilities. For EU developers, it creates structural compliance problems that cannot be resolved by selecting an EU AWS region or accepting the standard DPA: - Every keystroke-triggered completion transmits source code context to US-jurisdiction infrastructure - Agentic mode transmits entire repository contents to AWS for multi-step tasks - CLOUD Act compelled disclosure applies regardless of EU AWS region selection - Default individual plans may lack training data opt-out, creating purpose limitation violations - Source code containing any PII triggers Art.28 and Art.32 obligations that AWS's DPA formally satisfies but practically cannot fully honour given CLOUD Act exposure - EU AI Act deployer obligations apply to your engineering team from August 2026 The technical alternatives (Continue.dev + Ollama locally, Mistral API via Continue.dev for EU cloud inference, Tabnine on-premises for Enterprise) provide comparable code assistance capabilities without routing proprietary source code to US-jurisdiction servers. For EU companies where source code represents material IP or contains personal data, the compliance posture difference justifies the migration effort.

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Start free — no credit card View pricing