Blog — sota.io

2026-05-05·14 min read·

AWS Bedrock AgentCore is Amazon's managed runtime for building production AI agents: persistent memory stores, tool execution sandboxes, agent-to-agent collaboration, and fully managed orchestration infrastructure. For EU developers, it is also the most comprehensive way to route your users' personal data through US-jurisdiction servers that are permanently subject to CLOUD Act compelled disclosure. This guide maps exactly where EU user data lands inside AgentCore's architecture, why vector embeddings create a near-unsolvable Art.17 erasure problem, and how the EU AI Act's August 2026 GPAI obligations apply to every developer using Bedrock's foundation models inside an agentic workflow. ## What AWS Bedrock AgentCore Actually Is Standard Bedrock is a stateless inference API: you send a prompt, get a response, the session ends. AgentCore adds the infrastructure layer that makes multi-step agents practical at scale: - **Managed Memory Store** — persists agent session state, conversation history, and user-specific context across sessions. Supports in-context memory (short-term), semantic/vector memory (long-term retrieval), and episodic memory (structured past interactions). - **Tool Execution Environment** — sandboxed runtime for agents to call APIs, execute code, browse web content, and interact with databases. All tool calls and their inputs/outputs are logged for debugging and audit. - **Agent-to-Agent Orchestration** — supervisor agents can delegate to specialist subagents, creating multi-agent pipelines where data flows between multiple model invocations. - **Gateway and Session Management** — managed API gateway handles authentication, rate limiting, and session routing between your application and the agent fleet. Each of these components creates a distinct data processing activity under GDPR Art.4(2) — and all of them run on AWS infrastructure subject to US law. ## The CLOUD Act Exposure: Worse Than Standard Bedrock With standard Bedrock, the exposure is transient: prompts pass through, responses return, and inference logs are only retained if you explicitly enable them. With AgentCore, the exposure is structural and persistent. **Memory stores are designed to last.** Semantic memory in AgentCore accumulates user context over time — the agent learns that user 4821 prefers German-language responses, has a GDPR data processing agreement under review, and last asked about Art.35 DPIAs. This is not transient inference data. It is a long-term user profile built from AI processing, stored in AWS infrastructure under US jurisdiction. **Tool call logs are comprehensive.** Every tool the agent executes — database queries, API calls, file reads, web fetches — is logged with its full input and output. If your agent retrieves a customer's order history to answer a support question, that order history appears in the AgentCore tool execution log. Under the CLOUD Act, a US federal agency can compel AWS to produce those logs without notifying you or your user. **Agent-to-agent flows multiply the surface.** In a multi-agent pipeline, user data may be processed by four or five foundation model invocations before a response is returned. Each invocation creates log entries. The data flow from supervisor to subagent is logged at the orchestration layer. By the time a complex query resolves, a single EU user interaction has generated a dozen US-jurisdiction data records. Choosing `eu-west-1` or `eu-central-1` as your Bedrock region does not change this. AWS is a US company. CLOUD Act jurisdiction follows corporate structure, not server location. ## GDPR Art.5: Storage Limitation and Purpose Limitation in Agent Memory AgentCore's persistent memory is exactly the kind of processing GDPR Art.5 is designed to constrain. **Art.5(1)(b) — Purpose limitation:** You collected your user's email to send them a receipt. Your AgentCore semantic memory store now uses that email as the key for a growing profile of AI-inferred preferences, interaction patterns, and behavioral context. Unless you explicitly defined this secondary use in your privacy notice and obtained separate consent or established a compatible lawful basis, this is a purpose limitation violation. **Art.5(1)(e) — Storage limitation:** Personal data may not be kept "for longer than is necessary." AgentCore's semantic memory is explicitly designed to persist indefinitely — that is its value proposition. Without an automated retention policy that purges personal data after a defined maximum period (and can demonstrate deletion), you are in violation of Art.5(1)(e) from the moment the first user interaction is stored. **Art.5(1)(c) — Data minimization:** The agent's memory store will accumulate whatever passes through it. If your tool execution logs include full API responses with customer records, billing data, or health information because it happened to be in the tool's output, AgentCore stores more than was necessary for the agent's purpose. Implementing tool output filtering before persistence is an engineering task, not a configuration toggle. AWS does not enforce any of these obligations on your behalf. Your AgentCore DPA with AWS covers AWS's role as data processor. Your obligations as controller — defining retention schedules, enforcing minimization, restricting storage to necessary data — remain entirely yours to implement in application logic. ## The Art.17 Erasure Problem: Vector Embeddings Are Not Deletable This is the most technically intractable compliance issue with agentic AI, and AgentCore's architecture makes it acute. When a user exercises their GDPR Art.17 right to erasure, you must delete all personal data relating to that user. In a traditional database, this is a `DELETE WHERE user_id = X` operation. In AgentCore's semantic memory store, user interactions are stored as vector embeddings alongside their source text — indexed for similarity retrieval rather than exact-match lookup. Deleting the source text is the easy part. Deleting or neutering the embedding is not. **Why embeddings are resistant to erasure:** 1. **Embeddings encode relationships.** A vector embedding for "user 4821 asked about DPIA requirements for AI systems" encodes not just the text but its semantic relationship to thousands of other concepts. You cannot surgically remove one user's semantic influence from a shared embedding space. 2. **Cosine similarity queries are not user-scoped.** When a future agent query retrieves semantically similar past interactions, it may surface content that was derived from user 4821's data even after you have deleted their named record. The embedding influence persists. 3. **AWS does not expose embedding-level deletion.** AgentCore's managed memory API provides session-level and record-level deletion. There is no API to confirm that a given user's data has been fully purged from the vector index, because that is not how vector indices work. 4. **Cryptographic deletion is theoretical.** Some providers have proposed encrypting each user's embeddings with a per-user key and then deleting the key (crypto-shredding). AgentCore uses AWS-managed KMS keys, not per-user keys. This approach is not available in the standard configuration. The practical consequence: if you use AgentCore's semantic memory with EU user data, you cannot fully comply with Art.17 erasure requests for that data. You can delete structured records. You cannot guarantee you have deleted all derivative personal data from the vector index. This is a GDPR Art.35 high-risk processing indicator, which means a DPIA is mandatory before you begin. ## EU AI Act August 2026: GPAI Deployer Obligations for AgentCore Users From 2 August 2026, the EU AI Act's GPAI obligations apply to anyone deploying a general-purpose AI model in an EU context. AWS Bedrock AgentCore abstracts the infrastructure, but it does not abstract your legal position under the AI Act. **You are a GPAI deployer, not a provider.** You are not training or releasing the foundation model (Claude, Llama, Titan, or whichever model AgentCore routes to). You are deploying a GPAI system to your EU users. That makes you a "deployer" under EU AI Act Art.3(4) and Art.50. **Art.50(1) — Transparency obligation.** EU users interacting with your AgentCore-powered assistant must be clearly informed they are interacting with an AI system. This obligation survives whether you use a single-turn Bedrock call or a complex multi-agent AgentCore pipeline. If your agent impersonates a human support representative, this is a prohibited practice under Art.5(1)(b). **Art.50(4) — Synthetic content disclosure.** If your AgentCore pipeline generates text, images, audio, or video that could be mistaken for human-produced content, you must clearly label it as AI-generated. This applies to AI-authored support emails, documentation drafts, and marketing copy produced by your agent. **Art.50(2) — Emotion recognition and biometric categorization.** If any tool in your AgentCore pipeline performs emotion inference, sentiment analysis for discriminatory purposes, or biometric categorization, additional disclosure and restriction obligations apply. **Art.25 — Deployer register.** Your organization may be required to maintain records of your AI system deployments for inspection by national competent authorities. For a multi-agent AgentCore deployment, this register must capture: the foundation model used, the purpose, the affected user population, the high-risk determination, and your Art.50 compliance measures. ## GDPR Art.35: When a DPIA Is Mandatory for AgentCore GDPR Art.35 requires a Data Protection Impact Assessment before any processing that is "likely to result in a high risk to the rights and freedoms of natural persons." AgentCore-based deployments trigger multiple high-risk indicators: | DPIA Trigger | AgentCore Context | |---|---| | **Systematic profiling** | Semantic memory builds persistent behavioral profiles of individual users | | **Large-scale processing** | Production agent deployments typically cover thousands of users | | **New technology** | EDPB considers generative AI and agentic systems a new technology requiring DPIA | | **Automated decision-making** | If agent outputs affect user rights (credit, access, insurance) without human review | | **Sensitive data categories** | If any user query includes health, financial, or political information | | **Data matching/combining** | Multi-agent pipelines combine user data from multiple tool sources | If your AgentCore deployment triggers two or more of these criteria, a DPIA is mandatory — not optional. The DPIA must be completed before you begin processing, not after you have shipped the feature. AWS's Shared Responsibility Model places DPIA responsibility entirely with you. AWS confirms they implement security controls. AWS does not confirm that your use case is GDPR-compliant. ## Building GDPR-Compliant Agentic AI on EU Infrastructure The alternative to AgentCore is not to abandon multi-agent AI. It is to build the same architecture on infrastructure where your EU data stays under EU jurisdiction. **Open-source agent frameworks with EU infrastructure:** - **LangGraph** (by LangChain) — production-grade multi-agent orchestration framework with stateful agent graphs, checkpointing, and human-in-the-loop support. Self-host on any EU VPS or PaaS. - **CrewAI** — role-based multi-agent collaboration framework. Supports tool use, agent delegation, and custom memory backends. Deploy on EU infrastructure, point memory at your own Postgres or vector DB. - **AutoGen (Microsoft)** — multi-agent conversation framework. Self-hosted, model-agnostic. - **Pydantic AI** — type-safe agent framework with dependency injection. Lightweight, EU-deployable. **EU-resident vector databases for agent memory:** - **Qdrant** — open-source vector DB, self-hosted on any EU server. Supports payload filtering for user-scoped queries, and `DELETE` operations that actually delete records. - **Weaviate** — open-source vector DB with tenant isolation, supporting per-tenant key management for crypto-shredding compliance. - **pgvector** — vector extension for Postgres, runs on any EU Postgres instance. User-scoped deletion is standard SQL. **For the foundation model:** - **EU AI providers:** Mistral (France), Aleph Alpha (Germany), Silo AI (Finland, acquired by AMD) — EU-jurisdiction APIs with DPAs and no CLOUD Act exposure. - **Self-hosted open weights:** Llama 3, Mistral 7B/Mixtral — deploy on EU GPU infrastructure (Lambda Labs EU, Hetzner dedicated) to eliminate third-party API exposure entirely. **What stays the same with a self-built stack:** - Agent reasoning quality (same foundation models, same orchestration patterns) - Tool calling, multi-step reasoning, memory retrieval - Scalability (Kubernetes on EU clusters, sota.io managed infrastructure) **What becomes compliant:** - Memory store jurisdiction (EU server, your control) - Erasure completeness (SQL `DELETE` or per-tenant crypto-shredding) - Tool call logs (your infrastructure, your retention policies) - CLOUD Act immunity (no US corporate parent with access to your data) - Art.17 compliance (full deletion verifiable by your own database queries) ## Checklist: AgentCore EU Compliance Assessment Before deploying AgentCore with EU user data: **Data flow mapping** - [ ] Documented all data inputs/outputs at each agent step - [ ] Identified which steps process personal data (directly or as context) - [ ] Mapped tool call inputs/outputs to GDPR data categories - [ ] Confirmed AWS region selection (note: does not change CLOUD Act exposure) **Lawful basis and transparency** - [ ] Identified lawful basis (Art.6) for each distinct processing activity (inference, memory storage, tool execution logging) - [ ] Privacy notice updated to cover AI agent processing and persistence - [ ] Art.50 transparency disclosure implemented in UI (users informed they interact with AI) - [ ] No human impersonation in agent responses **Data minimization and retention** - [ ] Tool output filtering implemented before memory persistence (only necessary data stored) - [ ] Retention schedule defined and automated for all memory stores - [ ] Session data purge tested and verified **Erasure compliance** - [ ] Erasure procedure documented per user ID for all AgentCore data types - [ ] Confirmed whether semantic/vector memory allows complete erasure (if not, document residual risk) - [ ] Erasure automation implemented and tested **DPIA** - [ ] High-risk triggers assessed (systematic profiling, large scale, sensitive categories, new technology) - [ ] DPIA completed and documented if two or more triggers apply - [ ] DPO consulted (if your organization has one) **Data processor chain** - [ ] AWS DPA signed and current - [ ] SCCs or adequacy decision covering US data transfers documented - [ ] All sub-processors used by AgentCore identified in your processor records ## What sota.io Offers for EU Agentic AI If you are building AI agent applications and want EU jurisdiction without managing Kubernetes clusters, [sota.io](https://sota.io) provides: - Deploy any agent framework (LangGraph, CrewAI, AutoGen, custom) as a container - EU-resident infrastructure only — no US data centers in your data path - €9/month flat pricing with 2GB RAM - Standard Docker deployment — your agent code, your vector DB configuration, your retention policies - DPA available, EU-jurisdiction data processing The agent framework, the memory store, and the tool execution environment all run in infrastructure you control, in EU jurisdiction you can document to your DPA and your users. ## Summary AWS Bedrock AgentCore solves real engineering problems: persistent multi-step reasoning, semantic memory retrieval, and production-grade multi-agent orchestration. For EU developers processing personal data, it creates structural compliance problems that cannot be resolved by selecting an EU AWS region: - Agent memory stores are long-term personal data repositories under US jurisdiction - Vector embeddings create an Art.17 erasure gap that cannot be closed with standard AgentCore APIs - Every tool call log is a US-jurisdiction record of what your EU users asked and what data was retrieved for them - Multi-agent pipelines multiply the CLOUD Act exposure surface - August 2026 GPAI obligations apply to you as deployer regardless of which Bedrock model handles inference The engineering cost of building GDPR-compliant agentic AI on EU infrastructure with LangGraph, Qdrant, and a Mistral API is comparable to building the same system on AgentCore. The compliance posture is fundamentally different. EU users, enterprise prospects, and regulators will ask where their agent conversation data goes. EU infrastructure gives you an answer. AgentCore does not.

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Start free — no credit card View pricing