Move Data Handling to EU for European Kagi Users

[deleted]

--deleted--

Boomkop3

[deleted] It's been hovering around being 5% to 10% less than the euro for a decade now. I wouldn't expect too much extra value

mrmanafon

Vladimir’s answer on this burning question, during the recent AMA left me speechless. He shrugged his shoulders and attempted to gaslight the audience “yeah we good on privacy no reason to be in eu, trust, skibidi”.

It is entirely possible that he is uninformed, or living in a SF bubble, but the issue of moving clouds into EU is all that is talked about in the EU countries. To paint a picture, I work at a digital agency dealing with enterprises, and virtually every single client has asked this question i the past couple of years (since the Pribacy Shield was invalidated in 2020) in the past year months (since DPF was challenged) and especially during the last 6 months (since US started openly targeting EU privacy laws). We now have a whole program about air-gapping our enterprise clients from US, and moving other clients to EU cloud providers. All new projects are projected to be outside of the big cloud companies unless specifically requested by the client. Even the various EU governments are discussing removal of Microsoft from public use, and in the Nordics there is already a similar push by both the public, provate sector and the trade unions, for removal of US companies from helthcare and payment processing. Heck, supermarket shelfs have little warning symbols next to US goods, what are we talking about? The level of awareness is real.

In other words, this is about much more than just Kagi’s stance on privacy. Vlad could have easily answered with “yes we are in the US, but we are committed to honouring EU laws by having prepared DPAs, and we have standard EU-approved contractual clauses for bith b2b and b2c users, as well as SOC2 which while not EU specific showcases that our architecture is incapable of storing user information of our EU customers inside US.”, however, he didn’t say that - which in my mind shows that he has no clue about the importance of these.

Uuf, I was so happy with Kagi thus far, and I wouldn’t even worry about these, I’d just trust Vlad… But the cluelessly defensive stance on that AMA really shook my trust in the company. A CEO that isn’t looking to sell to SF VC capital asap would not say those things, a CEO that isn’t cucked by partnerships with some of the indexes would not defend this (reminiscent of the Yandex situation), a CEO that talks to any of their EU customers would have easy and clear answers for this question that is literally mentioned in daily news every day - as opposed to being surprised by it. So this means either he doesn't know, or he doesn't care, both are discouraging. Please be better 🙁

Boomkop3

mrmanafon I'm fine with the "don't care" side of things. Kagi is a better search engine, not a private one. And if you trust kagi not to cycle server side token, their privacy pass is great.

For that, there are publicly available searchx servers out there. https://searx.be/ is forked from searxng and maintained, hosted and used in the eu. It does not deliver the same quality or customizability as kagi though. It's just an aggregator lumping other search engines into one big ui

mrmanafon

Boomkop3 I do not disagree with you, but for me its not the privacy technicalities that are the most important, its the “don’t care” response that matters.

I saw this same sort of answer back when the whole Yandex question was brought up, and it made me skip on Kagi back then. I gave it another chance now, like ok i can swallow supporting Yandex, only to get the same attitude towards EU.

If a company doesn’t care, then that puts up a red flag for me, bigger than literally saying “yeah we sell your data on silkroad”. 😃

Honesty and Care are what I look for. Vlad was honest, but he didnt care. There are ways to say “we wont do it” without sending the don’t care signal. Show that you understand the need/wish, show that you informed yourself, show that you’ll codify some steps but not the others.

P.S. As an example of this being done right - I was making a bulk purchase from Cursor, an american company. When our DPO started asking questions, they were fully informed, explained piece by piece how you can get the same assurances, had everything documented in a succint manner, without them being in EU, and within 2 emails passed with flying colours. A stark contrast to “yeah trust me we love privacy”.

Luis

I want to clarify an important point: Kagi does care (a lot) about privacy; what we don't care about is user data.

mrmanafon

P.S. As an example of this being done right - I was making a bulk purchase from Cursor, an american company. When our DPO started asking questions, they were fully informed, explained piece by piece how you can get the same assurances, had everything documented in a succint manner, without them being in EU, and within 2 emails passed with flying colours. A stark contrast to “yeah trust me we love privacy”.

We would appreciate it if you could share the contents/structure of this succinct document, provided you can.
We have put significant effort into making our privacy policy simple and clear, as we believe transparency builds trust. If you have suggestions for additional best practices, we are keen to learn and implement them.

Boomkop3

mrmanafon gdpr is very strict, and fines imposed for violating it depend on gross income. A company that's raking in investors money has to be extra careful following the law. Hence why such companies have excellent processes for that in place.

Except Apple, they just keep padding irelands tax budget :p

mrmanafon

Boomkop3 Thanks for the response, I'm glad to hear that you didn't take my comments as an attack. I do want this to work, but was quite confused hearing Vlad shrug-off the questions.

The trick is to ensure European users that you do not store or trade their information, in a codified and structured way. Or if you do, then being ceratin about where it goes. A sentence such as "We value your privacy, and whenever possible we will choose not to require or save any user data." is not sufficient in the privacy policy.

I can share Cursor's approach, since it is publicly available and covers both their b2b and b2c customers. Are their answers "good" in terms of data sharing? Not really, they collect a buttload of info. I believe Kagi collects a lot less. And they are overly verbose. However, the important part is that they have ready answers and clear breakdowns, showing that they took the issue seriously. They made it easy to consume and decide what level of risk we are willing to take.

It is all about the presentation and UX. Kagi can be even better at this. Looking at your Privacy page you could totally do the same with just a bit of rewording and some additional pieces of info. In the case of asking for DPA, they direct you to 3 pages:

https://trust.cursor.com - where you can see their SOC2 self-assesment, which answers some of the questions about data storage and subprocessor list that makes it easy to trace back the jurisdiction of different vendors that get access to your data, it also shows a lineage of their controls, answers about infrastructure in China and Russia, lays out encryption practices.
https://www.cursor.com/security - details data residence choices, stability assurances, deletion practices with examples, known limitations
https://www.cursor.com/privacy - similar to yours, a general-purpose breakdown, goes into detail about their no-store no-train policy, declares data sharing practices, reminds the user about their choices, declares jurisdiction exceptions, defines cases when PII is transferred outside EEA and ensures that an "adequate level of data protection" is used when transferring PII outside EEA.
https://www.cursor.com/terms-of-service - classic legal word wall, lays out the details regarding judicial arbitrage, fair use, and auditing requests (this last one is a big subject in DPAs).

Again, they are being too verbose, you can do all of this in a much smaller format. As long as you have answers (good or bad) that is a green flag.

Keep in mind - my comment isn't about what is legally required of you. This is an often misunderstood part of Europeans asking about EU data residency. It is about what assurances do you willingly give. Its about your vibe. Can you make me feel I'm in safe hands. If you can do that by displaying sanity, conciousness and good architecture practices, then you're golden. You just need to communicate it properly.

All these combined (especially 1&2) basically answer all the questions that DPA would answer and can replace a DPA easily.

Basically there are not that many question permutations - over time they gathered all the questions coming from EU, and codified easy answers into their pages. So, when you reach out asking for a DPA or legal entity residency, they have canned responses on their public pages already.

Common questions are:

What PII is being gathered and when.
What circumstances is PII shared with subprocessors and which ones.
What circumstances is PII sent outside of EEA and what protections does it fall under. (basically, "how likely is it that JD Vance can read my name and search history" 😃 )
What pieces of PII (or intellectual property) fall outside of EEA jurisdiction.
Proving (through architecture practices, encryption etc) that a breach will not compromise Europeans PII to the best of your ability.
Proving (through architecture practices) the intended stability of the system if some usage paths are critical (to describe it better, with Cursor its basically "if a war starts tomorrow, will i still have access to my code", im not kidding with the war part).
General Location (jurisdiction, continent or country) of teams that get access to PII or critical systems. (hard to explain - usually asked for if the customer falls under one of the laws about critical infrastructure, where everyone that touches critical parts must be "within a NATO-aligned country")
Explicit assurance that PII is not used for training LLMs, options for opting out, listing LLM providers in question.
Same, but about intellectual property (queries, code, translation text, history, preferences etc)
Bonus points if you explain your general ownership structure or unionization practices thats a big win.

madhatter

In my (admittedly not-at-all-any-kind-of-expert) view, Mullvad sets a good benchmark. They have regular audits and make the reports public. They are constantly working towards minimising the possibility of data falling in the wrong hands (including over-zealous law enforcement blokes who grab machines off data centres) including steadily moving towards a 'everything is only in memory and nothing on disc' model.

Of course, they have other things going: No account at all - you just get a 16 digit code as "account identifier" and you can pay anonymously with cryptocurrency (or send them an envelope with cash).

That aside, the fact that providers in USA can be forced to pull data from overseas data centres always makes a company headquartered there inferior to one where there are stronger privacy guarantees (like GDPR) given everything else is equal. If you look at recent tech news and see how large corporations have gotten uncomfortable and are trying their best to suggest/form corporate structures which would prevent this illegal data exfiltration (violating GDPR despite operating in EU) upon being strong armed by USA, you can see that the problem and the threats are real and not just fictitious. I can recommend an excellent search engine to look this up (with a cute doggie as their mascot). You can also see the steadily growing discomfort with USA based providers. Once these changes hit a critical mass, there is no going back.

I really like Kagi and recommend it to all my friends. However, if there is an equivalent (or almost equal) EU based provider, I'll switch solely because the legal guarantees are greater and there's less chance of autocratic data grabs (one of those cases where the infamous bureaucracy might work in favour of the EU).

EDIT:
https://blogs.microsoft.com/on-the-issues/2025/04/30/european-digital-commitments/

As you can see, even they, with probably one of the most potent legal teams in their country, can't promise they won't just hand over EU data or stop EU operations if forced by USA. All they say is that they are committed to fighting it in court. What good is that if the courts aren't able to enforce laws, for instance in an emergency or when the HQ country turns hostile (not much further from recent events)?

So, as long as the HQ (legally/in-practice) is in USA, it always carries additional risk for EU residents and citizens to use such a service.

Nevertheless, when the data is held in EU and set up in such a way that only upon active cooperation of EU based employees/contractors it can be accessed, it adds a layer (however feeble) of protection and is better than nothing.

Boomkop3

madhatter I'm sorry to bring up this context. About a month back, the international court of justice came out with a ruling that Trump disagreed with. And the onedrive access and outlook email accounts of the court and some of their employees were shut down. Result: the court case got delayed, and some required documents were temporarily unavailable.

And yes, with the internet existing, where the physical datacenter is doesn't matter all that much anymore. And although I think Kagi has the right intentions, presenting yourself as negligent is... not quite reassuring

carl

madhatter In my (admittedly not-at-all-any-kind-of-expert) view, Mullvad sets a good benchmark. They have regular audits and make the reports public.

Mullvad is a company whose main and only business is internet privacy. So of course they will give all their attention to their core.

Kagi's main business is not internet privacy, but high quality search. They probably don't have endless resources to improve the perceived privacy of their services.

One important thing is that if you don't trust a person or a business, it doesn't matter how many reassurances you ask for. If they are dishonest, they will just lie to you. And if they are honest, you are just insulting them for no reason at all.

There's a myth within the online computer enthusiast community that EU is in some way safer for privacy than the US. Like Vlad mentioned, that isn't the case. The EU itself and the EU member states are violating citizen privacy as much as they are able to, including spying on all internet traffic. It is simply not safer or better for privacy than the US.

madhatter

carl

I believe we (you and I) can't come to an agreement. I believe that having a legal framework protecting privacy is superior to not having one. I have seen it in practice (at previous workplace).

As for trust, it's not binary, it's a scale. I leave it at saying that we have to just agree to disagree on this.

mrmanafon

carl Again, it matters not what the EU laws say. Forget about the legal framework flr a second and think purely about the marketing.

If you have customers asking en masse for EU data residency, your job as a CEO is to investigate what can you offer to mend that need - not to shrug it off. It’d be the same thing if Kagi customers suddendly started asking about strawberries - Kagi ain’t a strawberry company, but your job would be to understand why this is the case. If the CEO comes out and says “heres some ginger, trust me its better” that certainly is a choice, but don’t be confused pikachu face when the audience thinks you funadmentally don’t understand them.

As a CEO your job is marketing, strategy and trust. If you start throwing trust away by shrugging off the needs of your users, see where that takes you. I’m not even saying you need to deliver on those needs - but you must display deep understanding before you can be opinionated about not delivering them, not the other way around.

On top of that, there ABSOLUTELY is a huge difference for us customers, when legal is being followed, versus when it is not. I hear some sort of weird idea that EU law is somehow this weird plethora of endless beureaucracy - it can’t be further from the truth, in fact we often make jokes about American companies having these insane long winded terms and tiny text. The EU rules are quite simple and pragmatic, and just require companies to be transparent and honest, as well as do regular maintenance of their policies. Kagi already does most of these things, so why not give them form, write them down and thereby fulfill the legal framework?

“Legal Framework” sounds scary, its just a fricking blogpost you need to fill out. “We store no PII outside EU. A sentence explaining the architecture. Here is a list of partners that do. Last updated 6mo ago. You decide if its the risk you are willing to take.” Thats all it takes.

Or, you know, you could go the extra mile and also open an EU subsidiary. You’d literally be expected to do this if you were targeting US, so why is it such a scary thing when offering the same comfort and security to the EU residents?

carl

mrmanafon

I appreciate your comment, but I wouldn't say that there's customers en masse asking for Kagi to be moved to the EU. They have over 50 000 paying customers, and a few people who are very active in asking for this and other people who are very active and insistent on asking for other things, such as removal of Brave index, removal of all AI, removal of Yandex, cheaper price for their country, etc.

But just because some people are very passionate about something, doesn't mean that the majority of customers or potential customers are. You could be right and Kagi could have had 100 000 users instead of 50 000 if they were in the EU, but we can only speculate.

You are applying your own sentiments and preferences to the general public. I think that the only way forward for Kagi is to become even better at search by radically improving and expanding the sources they draw their results from. But that's just my opinion, and I might be wrong. I don't see any other people asking for these things that I care about. But part of business is also delivering good solutions that people didn't know before that they wanted or needed.

I do business in the EU, and it's not difficult for a company to follow the regulations regarding personal information collection. So I agree with you on that. But you can take the same care with that data without being in the EU, as I suppose Kagi does. I guess that's what you're suggesting here:

Kagi already does most of these things, so why not give them form, write them down and thereby fulfill the legal framework?

mrmanafon

Dustin There is no “certification”, GDPR is law, so as a company you just need to write down where the data goes, and an email where folks can request deletion - Kagi already does that.
So this isn’t about GDPR, it is moreso about getting Kagi to put their policies on paper, instead of saying “trust me California has laws too”. Okay, if you say you already follow all of these, then summarize it and put it on a webpage.
The question of EU data residency doesn’t mean moving Kagi into EU. It means personal information not leaving EU, which is significantly easier to make happen through fairly standard architecture practices. They may even do it already. And then you write it down on a blogpost and let the world know. There is no beureaucracy involved, its pure marketing - you convince folks that you are taking this seriously, and nobody will ask for more.

Now, a CEO could decide to take more drastic measures - EU legal entity, airgapped cloud, ISO certification, SOC2, audits… But nobody is asking for those. They are just tools for you to prove your practices, once you find your message to fall flat. We are just asking for Vlad to display he understands the problem, and lay out what his practices to prevent it are. If you have a satisfactory answer, nobody will ask you for more.

carl Yes that is what I am suggesting - as a CEO, you need to analyze WHY folks are asking this of you, and then come up with a way to answer the core of the issue without moving Kagi into EU. Idk how else to spell it out for Vlad. Its a blogpost. An addendum to the privacy page. It ain’t that hard.

Also, I wouldn’t be so sure about “a small number of people”. This was the first question on the AMA last week. It is also a chicken and egg problem - if you had a hypothetical Serbian search engine and tried to convince Americans to trust you by saying “trust me we got laws here” on an AMA video, you’d eventually end up with only Serbian customers and a minority of Americans, as they’d start leaving one by one.
So for me, more than anything, Vladimir shrugging off those questions is a signal that he does not care about European customers. Which is totally within his rights, I just won’t be around to support it.

Dustin

@carl

But you can take the same care with that data without being in the EU, as I suppose Kagi does.

So I guess this is my main takeaway. I don't think there's any legal requirement that a service needs to be in the EU to be GDPR-compliant. So how does one go about getting "certified" and is that all that people are asking for at the core?

mrmanafon

Ha, speaking of communicating things, just received an email from Excalidraw:

At some point, every company reaches the phase where "we promise we're doing things securely" just doesn't cut it anymore. We were getting tired of filling out endless security questionnaires, the kind of stuff that can easily live in a proper trust center.

It's one thing to say, "We use MFA, we encrypt stuff, we care about your data," but it hits different when a third party auditor confirms we're actually doing it by the book.

Most of the security stuff we were already doing, SOC 2 just forced us to write it down officially.

Announcement: https://plus.excalidraw.com/blog/excalidraw-soc2
Trust: https://trust.excalidraw.com
Compliance: https://plus.excalidraw.com/security-and-compliance

In other news,

The 2025 "GDPR overhaul" is expected to tighten data shipping parts of the regulation, but loosen the documentation parts for SMBs.

There will be a stronger requirement for safeguards regarding international data transfers, especially after the invalidation of the Privacy Shield and revisions to the Standard Contractual Clauses (SCC) to strengthen the EU’s position regarding more robust safeguards when exchanging data across borders. The EU wants to fully harmonise GDPR obligations and enforce those obligations as well.

Gredharm

Europe is increasingly dangerous for privacy, as Chat Control is eventually almost certainly going to get pushed through. They keep making little fake changes to pretend it isn't as bad, but eventually it will pass. Switzerland and Sweden also looks likely to give up their privacy cred, with both Proton and Mullvad showing concerns about privacy in their countries.
I'm not sure what an immediate solution is, but the worst solution is storing private data in your own country anyway. Ideally you want private data stored either in a neutral or enemy country to your own, unless you're in a senior government/corporate position where it could be used against you that way.

« Previous Page