The CLOUD Act and its Consequences: Why We Rethought Our Cloud Infrastructure

What the CLOUD Act is all about – and why it affects European providers

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a U.S. federal law enacted in 2018. It obliges cloud providers based in the USA to hand over data to U.S. authorities – even if this data is physically located on servers outside the USA.

Physical storage of data in Europe alone does not protect against access by U.S. authorities. The decisive factor is control over the company, not just the location of the data center.

This means: Even if a company operates in Europe, data residing on the infrastructure of U.S. providers can be requested by foreign agencies. Under certain circumstances, it may be sufficient for the company in question to be merely partially owned by an American parent company. AWS and other U.S. hyperscalers promise a solution with the so-called "European Sovereign Cloud," but this does not credibly operate within a different legal framework and remains, so far, an unfulfilled promise.

Furthermore, the CLOUD Act does not provide for a duty to inform the affected persons or companies. Data requests can therefore occur without you or us being notified. Additionally, legal recourse against such requests is limited – affected companies often have no way to sue before European courts to enforce their data protection rights.

What does this mean for our data protection strategy?

We process data on behalf of our customers daily, which often includes confidential or personal information. If this data runs through platforms subject to U.S. law, we cannot rule out with absolute certainty – despite a European corporate structure – that third-party access could occur.

This uncertainty – paired with the international political developments of recent years – was a trigger for us to fundamentally rethink our infrastructure. The discussion around the CLOUD Act made it clear to us: Corporate data sovereignty is becoming a central factor in the future security of software providers.

Additionally, many European companies, especially in sensitive or regulated industries such as manufacturing, healthcare, or the public sector, are subject to strict requirements regarding data processing and compliance. In our view, hosting under non-European control is no longer acceptable for these operations.

Another central issue in the decision for European cloud providers is the GDPR. The GDPR stipulates that personal data may only be transferred to third countries under certain conditions. However, the CLOUD Act can force U.S. companies to hand over data without the consent of the data subjects or without appropriate safeguards, which could violate the GDPR.

Why we decided on a European infrastructure

After a detailed evaluation of various options, we decided to migrate to the infrastructure of the cloud provider OVHcloud, headquartered in France. This provider is subject exclusively to EU law, operates its data centers in Europe, and offers full transparency regarding data protection and data processing. Moreover, it is one of the leading hosting providers worldwide.

What was decisive for us:

• No risk from non-European laws like the U.S. CLOUD Act.
• Clear legal situation: All data remains in the EU, under European data protection law.
• Compatibility with the compliance requirements of our customers in sensitive industries.

Furthermore, this provider aligns with our strategic principles regarding sustainability, energy management, and transparency. The switch is therefore also a signal towards our long-term responsible IT strategy.

Besides OVHcloud, there are other European providers like IONOS or Scaleway that offer similarly strict data protection standards. The decision often depends on technical requirements and integrations.

The CLOUD Act is not just an existing law, but also a preview of future regulatory challenges. These will urge companies to regularly review their data infrastructure. The development of regulations at national and international levels will likely further intensify the requirements for cloud services and data sovereignty in the coming years. For companies, this means that the choice of cloud provider must be carefully weighed not only for today but also for the future.

What changes for our customers – and what stays the same

Our platform operations and the functionality of the software remain unchanged. The infrastructure move took place in the background and was completed without interruption.

What is new:

• All data processing is performed exclusively by European providers.
• Data access by non-European agencies is legally excluded.
• Sustainable compliance without potential conflict between EU and international law.

At the same time, by keeping data within the EU, we create a stable foundation for availability and resilience without giving up data sovereignty.

The switch to a European cloud infrastructure brings several benefits from a data protection and compliance perspective:

• Legal Certainty: Your data is subject exclusively to European law.
• Transparency: Clear documentation on where your data is processed.
• Basis of Trust: An important signal, especially for sensitive industries.
• Future-Proofing: Regulatory requirements within the EU continue to increase.
• Reduced Audit Effort: Thanks to a clear legal situation and GDPR conformity, the burden of proof in certifications is reduced.

Answers to frequently asked questions about the migration