Deploy Rocq (Coq) to Europe — Formally Verified Software on EU Infrastructure in 2026

The EU AI Act requires high-risk AI systems to demonstrate correctness. DORA requires financial institutions to document the resilience of their ICT processes. GDPR Article 25 mandates privacy by design. Every one of these regulations asks the same underlying question: can you prove that your software does what you claim it does? Runtime tests say it worked this time. Rocq says it works every time — by mathematical proof.

Rocq Prover — known for four decades as Coq, renamed in 2024 — is a proof assistant developed at INRIA Rocquencourt 🇫🇷, the French national research institute in computer science. In Rocq, you do not merely write a function: you write the function together with a formal proof of its correctness, checked by the kernel of the proof assistant. The kernel is small enough to be trusted. The proof is large enough to be comprehensive. The combination is the strongest software assurance technique available.

Rocq's extraction mechanism translates formally verified Rocq programs to executable OCaml code. That OCaml can be compiled, containerised, and deployed on sota.io's EU infrastructure — where the data residency guarantees are structural, not contractual.

INRIA Rocquencourt — The French Research Institute Behind Rocq

INRIA (Institut National de Recherche en Informatique et en Automatique) is a French public research institution founded in 1967, headquartered in Rocquencourt near Versailles. INRIA has produced some of the most important results in programming language theory and formal methods in European computing history: OCaml, Caml, Coq/Rocq, CompCert, and the Esterel synchronous language all emerged from INRIA teams.

Rocq was created by a sequence of INRIA researchers whose contributions built on each other over forty years:

• Thierry Coquand 🇫🇷 — developed the Calculus of Constructions (CoC) in his 1985 PhD thesis at INRIA under Gérard Huet. CoC is the type-theoretic foundation of Rocq: a unified theory of types and propositions in which a term and its proof are the same object. Coquand is now Professor of Computing Science at Chalmers University 🇸🇪 in Gothenburg and a Fellow of the Royal Society 🇬🇧.

• Gérard Huet 🇫🇷 — INRIA Research Director, co-supervisor of Coquand's thesis, and co-developer of the original Coq system. Huet's contributions to unification algorithms, type theory, and the Caml family of languages shaped European programming language research for three decades. He received the EATCS Award in 2009 and is a member of the French Académie des Sciences.

• Christine Paulin-Mohring 🇫🇷 — introduced inductive types to Coq in her 1989 PhD thesis, giving the system its expressive power for defining data structures with computational content. She is now Professor at Université Paris-Saclay (LRI/LISN). Inductive types make it possible to define lists, trees, natural numbers, and arbitrary recursive structures alongside proofs about them.

• Hugo Herbelin 🇫🇷 — INRIA Paris, co-developed the lambda-mu-mu-tilde calculus underlying Rocq's proof term language, and has led Rocq development for many years.

The Rocq development team is distributed across INRIA Paris, INRIA Saclay, the IRIF laboratory (Paris Diderot / CNRS), ENS Lyon, and Chalmers — an entirely European research network. The renaming from Coq to Rocq in 2024 (after a community vote) acknowledges this mature, professional infrastructure while preserving the computational identity of the system.

What Makes Rocq Distinctive

The Calculus of Constructions: One Type Theory for Everything

Rocq's theoretical core is the Calculus of Inductive Constructions (CIC): an extension of Coquand's Calculus of Constructions with Paulin-Mohring's inductive types. In CIC, the distinction between programs and proofs disappears. A function f : A → B and a proof p : ∀ x : A, P x are objects of the same language. This unification — the Curry-Howard correspondence — means that writing a correct function and proving a theorem are the same activity.

(* GDPR Art. 5(1)(b): Purpose Limitation *)
(* Formally specify and prove that data processing stays within declared purpose *)

Inductive Purpose : Type :=
  | Marketing
  | Analytics
  | ContractFulfillment
  | LegalObligation.

Inductive LegalBasis : Type :=
  | Consent (purpose : Purpose)
  | LegitimateInterest (purpose : Purpose)
  | ContractNecessity.

Record DataSubject : Type := {
  subject_id   : nat;
  data_purpose : Purpose;
  legal_basis  : LegalBasis;
}.

(* Theorem: processing is GDPR-lawful when purpose matches legal basis *)
Definition lawful_processing (s : DataSubject) : Prop :=
  match s.(legal_basis) with
  | Consent p         => p = s.(data_purpose)
  | LegitimateInterest p => p = s.(data_purpose)
  | ContractNecessity => s.(data_purpose) = ContractFulfillment
  end.

(* Proof: consent-based processing is lawful when purposes agree *)
Lemma consent_is_lawful (subject_id : nat) (p : Purpose) :
  lawful_processing {|
    subject_id   := subject_id;
    data_purpose := p;
    legal_basis  := Consent p;
  |}.
Proof.
  unfold lawful_processing. simpl. reflexivity.
Qed.

This is not a runtime check. It is a proof, verified by Rocq's kernel, that the consent model satisfies the lawfulness predicate for all possible inputs. No input can violate it. The proof is machine-checked.

Code Extraction: From Verified Proof to Deployed OCaml

Rocq's extraction mechanism translates Rocq definitions to executable OCaml, Haskell, or Scheme. The extracted code inherits the correctness guarantees of the proofs. A Rocq-extracted OCaml function is not merely tested — it is proved correct, then compiled.

(* Define a verified rate-limiter for EU API compliance *)
(* Under MiFID II, trading APIs must enforce per-second rate limits *)

Require Import Coq.Arith.Arith.
Require Import Coq.Bool.Bool.
Require Extraction.

(* Verified bound check: request count does not exceed limit *)
Definition within_limit (count limit : nat) : bool :=
  Nat.leb count limit.

(* Proof: within_limit is correct — true iff count ≤ limit *)
Lemma within_limit_correct : forall count limit : nat,
  within_limit count limit = true <-> count <= limit.
Proof.
  intros count limit.
  unfold within_limit.
  split.
  - intro H. apply Nat.leb_le. exact H.
  - intro H. apply Nat.leb_le. exact H.
Qed.

(* Verified decrement: consume one request from the limit *)
Definition decrement (count : nat) : nat :=
  match count with
  | O    => O
  | S n  => n
  end.

(* Proof: decrement never underflows *)
Lemma decrement_non_negative : forall n : nat,
  decrement n <= n.
Proof.
  intros n. destruct n; simpl; auto.
Qed.

(* Extract to OCaml — the extracted code carries all proofs *)
Extraction Language OCaml.
Extraction "rate_limiter" within_limit decrement.

The extracted rate_limiter.ml contains pure OCaml that is provably correct. It can be compiled with ocamlfind and deployed in a Docker container on sota.io's EU servers.

CompCert — Formally Verified C Compiler from INRIA

The most significant industrial application of Rocq is CompCert, developed by Xavier Leroy 🇫🇷 at INRIA. CompCert is a C compiler whose compilation chain is formally verified in Rocq: every optimisation pass is proved to preserve the semantics of the source program. No commercially available C compiler has this property.

CompCert is certified for:

• Airbus A380 software — avionics safety verification under DO-178C Level A
• Aerospace and defence — DO-178C, EN 50128 (railway), IEC 61508 (functional safety)
• Nuclear safety systems — formal correctness for IEC 61513

This is what it means for an EU AI Act Article 9 risk management system to have formal guarantees: the compiler itself is proved correct.

Deploy Rocq-Extracted Code on sota.io

The standard deployment pattern extracts Rocq-verified logic to OCaml and wraps it in a Dream HTTP server.

Prerequisites

• sota.io account (sign up at sota.io)
• Docker installed locally
• opam (OCaml package manager) with rocq-prover package

Step 1 — Install Rocq

# Install via opam (Rocq is in the opam repository)
opam install rocq-prover

# Verify installation
rocq --version
# Rocq Prover version 9.0 (or later)

# Create project structure
mkdir eu-verified-api
cd eu-verified-api
mkdir theories extracted

Step 2 — Write and Verify Rocq Definitions

(* theories/GdprApi.v *)
(* Formally verified GDPR data processing module *)

Require Import Coq.Strings.String.
Require Import Coq.Lists.List.
Import ListNotations.

(* EU GDPR Art. 30: Records of processing activities *)
Record ProcessingRecord : Type := {
  controller_name    : string;
  processing_purpose : string;
  data_categories    : list string;
  recipients         : list string;
  retention_period   : nat;           (* days *)
  data_residency     : string;        (* must be "EU" *)
}.

(* Predicate: record is GDPR Art. 30 compliant *)
Definition art30_compliant (r : ProcessingRecord) : Prop :=
  r.(data_residency) = "EU" /\
  r.(retention_period) > 0 /\
  length r.(data_categories) > 0.

(* Constructor that enforces compliance by type *)
Definition mk_compliant_record
  (controller processing : string)
  (categories recipients : list string)
  (retention : nat)
  (H_categories : length categories > 0)
  (H_retention  : retention > 0)
  : { r : ProcessingRecord | art30_compliant r } :=
  exist _ {|
    controller_name    := controller;
    processing_purpose := processing;
    data_categories    := categories;
    recipients         := recipients;
    retention_period   := retention;
    data_residency     := "EU";      (* structurally enforced *)
  |} (conj eq_refl (conj H_retention H_categories)).

(* Extract to OCaml *)
Require Extraction.
Extraction Language OCaml.
Extraction "extracted/gdpr_api" mk_compliant_record art30_compliant.

# Check and extract
cd theories
rocq compile GdprApi.v
# Output: extracted/gdpr_api.ml

Step 3 — Wrap in Dream HTTP Server

(* bin/main.ml — Dream HTTP wrapper around extracted Rocq code *)
(* The core logic in gdpr_api.ml is formally proved correct *)

let () =
  Dream.run
  @@ Dream.logger
  @@ Dream.router [

    Dream.get "/health" (fun _ ->
      Dream.json {|{"status":"ok","residency":"EU-DE","prover":"Rocq 9.0"}|}
    );

    Dream.post "/processing-records" (fun request ->
      let%lwt body = Dream.body request in
      match Yojson.Safe.from_string body with
      | `Assoc fields ->
          let controller  = List.assoc_opt "controller"  fields
                            |> Option.map Yojson.Safe.to_string
                            |> Option.value ~default:"unknown" in
          let purpose     = List.assoc_opt "purpose"     fields
                            |> Option.map Yojson.Safe.to_string
                            |> Option.value ~default:"" in
          (* categories always has at least "personal_data" — proof obligation satisfied *)
          let categories  = ["personal_data"] in
          let recipients  = ["controller_only"] in
          let retention   = 730 in   (* 2 years: standard B2B under HGB *)
          let _record     = Gdpr_api.mk_compliant_record
                              controller purpose
                              categories recipients
                              retention
                              (Obj.magic ())   (* proof term, erased at extraction *)
                              (Obj.magic ()) in
          Dream.json ~status:`Created
            {|{"status":"created","residency":"EU","retention_days":730}|}
      | _ ->
          Dream.json ~status:`Bad_Request {|{"error":"invalid json"}|}
    );
  ]

Step 4 — Multi-Stage Dockerfile

# Stage 1: Build verified OCaml binary
FROM ocaml/opam:ubuntu-lts-ocaml-5.1 AS build

RUN opam install --yes dream yojson

WORKDIR /app
COPY theories/ theories/
COPY extracted/ extracted/
COPY bin/ bin/
COPY eu-api.opam .

RUN opam install --yes --deps-only .
RUN opam exec -- dune build

# Stage 2: Minimal runtime
FROM ubuntu:24.04

RUN apt-get update && apt-get install -y --no-install-recommends \
    libev4 libssl3 \
 && rm -rf /var/lib/apt/lists/*

RUN addgroup --system app && adduser --system --ingroup app app

WORKDIR /app
COPY --from=build /app/_build/default/bin/main.exe ./server

USER app
EXPOSE 8080

CMD ["./server"]

Step 5 — Deploy to EU Infrastructure

# Deploy Rocq-extracted verified service to EU infrastructure
sota deploy

# Output:
# Building Docker image...
# Deploying to Hetzner Germany (eu-central)...
# TLS certificate provisioned
# Service running at https://your-rocq-api.sota.io
# Region: EU (Germany) — GDPR-compliant by default

Rocq and the EU AI Act

The EU AI Act (Regulation 2024/1689, fully applicable August 2026) places the highest obligations on high-risk AI systems — systems used in biometric identification, critical infrastructure, safety components, employment, education, law enforcement, and justice. For high-risk systems, operators must implement risk management, data governance, technical documentation, and human oversight (Articles 9–14).

Rocq addresses the most rigorous interpretation of these requirements:

Article 9 — Risk Management System: Risk management requires identifying and mitigating the risks arising from an AI system's decisions. A Rocq-verified module proves by construction that specific properties hold for all inputs — not for the test suite, not for the validation set, but for every possible execution. This is the strongest available evidence of AI system correctness.

Article 13 — Transparency: Technical documentation must describe the design, development, and performance of high-risk AI systems. Rocq proofs are machine-readable documents, versioned in source control, that describe the intended behaviour of the system with mathematical precision. A Rocq specification is simultaneously the documentation and the verification.

Article 15 — Accuracy, Robustness, Cybersecurity: Formally verified software cannot produce outputs that violate its specification — by construction, not by testing. GDPR-relevant properties (data residency, retention limits, consent scope) can be encoded as Rocq predicates and proved to hold before deployment.

European Legacy: Proof Theory to Deployed Software

The Rocq lineage runs through the heart of European mathematical logic and computer science:

• Thierry Coquand 🇫🇷 — Calculus of Constructions → Rocq's type-theoretic core, now at Chalmers 🇸🇪
• Per Martin-Löf 🇸🇪 — Intuitionistic Type Theory (Stockholm, 1975) → the mathematical parent of Rocq's type system
• Jean-Yves Girard 🇫🇷 — System F, linear logic → INRIA Paris and Université Aix-Marseille
• Nicolaas de Bruijn 🇳🇱 — AUTOMATH (TU Eindhoven, 1968) → first formal proof system, ancestor of all proof assistants
• Dana Scott 🇬🇧 → denotational semantics, Edinburgh (1970s), foundational influence
• Gordon Plotkin 🇬🇧 — structural operational semantics, Edinburgh → theoretical underpinning of verified compilation

The Four Color Theorem was formally proved in Rocq by Georges Gonthier 🇫🇷 at Microsoft Research Cambridge and INRIA in 2005 — the first formal machine-checked proof of a major mathematical result. The Feit-Thompson theorem (every finite group of odd order is solvable) was proved in Rocq in 2012 by a team led by Gonthier at INRIA — a 250-page mathematical proof checked line by line by a machine.

CompCert, Rocq's most deployed industrial product, runs in EU safety-critical systems today. The formally verified C code it produces meets DO-178C Level A — the highest assurance level for aviation software. On sota.io's EU infrastructure, CompCert-compiled binaries run with the same guarantees: code whose correctness is proved, not hoped.

Why sota.io for Rocq-Verified Software

EU-native infrastructure: Hetzner Germany. Data never leaves the EU. The formally verified data residency guarantees in your Rocq specifications match the physical hosting guarantees of sota.io.

Simple deployment: sota deploy from your project directory. No Kubernetes. No cloud console. No IAM policies.

Flat-rate pricing: €9/month for 2 GB RAM, 2 vCPU, managed PostgreSQL. Rocq-extracted OCaml binaries are compact and efficient — a verified API fits comfortably in 256 MB.

Automatic TLS: HTTPS certificate provisioned within seconds of deployment.

Compliance documentation for free: Rocq proof scripts are your EU AI Act technical documentation. They are already machine-readable, version-controlled, and mathematically precise. On sota.io, they stay in an EU-sovereign deployment environment that matches their provenance.

See Also

• Deploy Agda to Europe — Ulf Norell 🇸🇪 (Chalmers 2007). Original Agda was created by Catarina Coquand — Thierry Coquand's wife — making Agda and Rocq direct intellectual siblings. Both implement dependent type theory from the same Martin-Löf and Calculus of Constructions roots.
• Deploy Idris 2 to Europe — Edwin Brady 🏴󠁧󠁢󠁳󠁣󠁴󠁷 (University of St Andrews). Practical dependent types for application programming — the same formal foundations as Rocq but designed for software development rather than pure proof development.
• Deploy Lean 4 to Europe — Lean 4 mathlib grew from the same TYPES EU research network and Coquand's Calculus of Constructions. Thousands of formally verified theorems, directly descended from the INRIA type theory tradition.
• Deploy Isabelle to Europe — Lawrence Paulson 🇬🇧 (Cambridge) + Tobias Nipkow 🇩🇪 (TU Munich). The HOL-based EU formal proof assistant used for seL4, cryptographic proofs, and EU AI Act Article 9 documentation — companion tool to Rocq in EU safety-critical verification.

Sign up for sota.io → — Deploy Rocq-verified software and 69 other languages on EU infrastructure in minutes. (70 total)