pilot Agency Group: GDPR-Compliant AI Infrastructure for 1,000 Employees
How Germany's second-largest independent media agency built an AI infrastructure with full EU data residency.
“For me it was clear from the start: no data outside the EU, no compromises on GDPR. Gosign delivered exactly that – technically sound, no ifs or buts.”
- Company
- pilot Agency Group
- Industry
- Media & Communications
- Employees
- 1,000+
- Locations
- Hamburg (HQ), Berlin, Munich, Stuttgart, Nuremberg, Mainz, Zurich
Starting Point
pilot is one of Germany’s largest independent and owner-managed agency groups. With over 1,000 employees across seven locations, pilot serves clients including Dr. Oetker, OBI, Techniker Krankenkasse and GetYourGuide. As a media agency, pilot processes large volumes of campaign data, client data and media strategy documents daily.
The challenge: pilot wanted to deploy AI tools company-wide – for research, document analysis, campaign planning and an internal knowledge base. The requirement from Bosse Küllenberg, Managing Director Technology & Operations, was unequivocal: no data may leave the EU. No compromises on GDPR. And no vendor lock-in.
At that time, most AI providers offered no guaranteed EU data residency. ChatGPT Enterprise was not yet available, and the existing alternatives could not meet the requirements of a media agency handling sensitive client data.
Requirements
Bosse Küllenberg defined four non-negotiable requirements for the AI infrastructure.
First: complete EU data residency. All data – prompts, responses, uploaded documents – must remain in the EU. No US servers, no transatlantic data transfers, no exceptions.
Second: tenant separation. pilot serves clients from widely different industries. Data from one client must under no circumstances enter the context of another client. This requires strict data isolation at infrastructure level.
Third: model independence. The infrastructure must not be tied to a single LLM. When a better model appears, a switch must be possible without architectural rebuild.
Fourth: traceability. For internal compliance and towards clients, it must be documented which data is processed and which model is used.
Solution
Gosign implemented an AI infrastructure with the following properties.
The infrastructure runs entirely in an EU region (Germany West Central on Azure). No prompt, no document, no response leaves the EU. Data residency is not merely contractually assured but architecturally enforced: there is simply no path through which data could leave the EU.
Tenant separation operates at infrastructure level. Each team works in an isolated context. Uploaded documents, conversation histories and generated content are strictly separated.
The architecture is model-agnostic. The orchestration layer routes requests to the optimal model – currently several models run in parallel. A model switch requires a configuration change, not an architectural rebuild.
Every interaction is logged: timestamp, model used, context assignment. Not the content of prompts is stored, but metadata – sufficient for compliance evidence without violating confidentiality.
Outcome
pilot has an AI infrastructure that treats GDPR compliance not as a compromise but as a design principle. Over 1,000 employees use the infrastructure daily – for research, document analysis and campaign work.
EU data residency is fully guaranteed. Tenant separation prevents any form of data leakage between client teams. The model-agnostic architecture has already enabled two model switches without operational interruption.
Bosse Küllenberg had a clear vision from the start of what AI infrastructure must look like in a regulated environment. Gosign translated that vision into technology – clean, auditable and future-proof.
Metrics
| Metric | Value |
|---|---|
| Employees with access | 1,000+ |
| Locations connected | 7 |
| EU data residency | 100% |
| Model switches without rebuild | 2 completed |
| Vendor lock-in | None |