Management area
Your data is in the cloud. Which cloud, which country, under which law?
Compliance & Cloud

Your data is in the cloud. Which cloud, which country, under which law?

AP Interactive
June 2, 2026
5 min read
#cloud-act #rgpd #soberania #ciberseguridad #compliance

"We're in the cloud."

It's the answer almost every mid-size company gives now when asked where their infrastructure lives. Sometimes with pride. Sometimes with relief. Almost never with detail.

So let's add the detail. Which cloud? Which country? Under which law?

"In the cloud" usually means three or four words you didn't read

For most companies, "we're in the cloud" decodes to: "We're on AWS, Azure or Google Cloud. Default region. We never asked any deeper question."

That's fine for a marketing site. It's not fine for customer data in regulated sectors. And the moment you sign your first contract with a client in healthcare, banking, defence, or public administration, "fine for marketing" stops being acceptable.

The Cloud Act in two paragraphs

The US Cloud Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US authorities to require US-based providers — Amazon, Microsoft, Google and anyone subject to US jurisdiction — to hand over data they hold or process, regardless of where the servers are physically located.

In plain English: contracting the "Frankfurt" region of AWS does not protect you from a court order issued in Washington. The data is in Europe, but the provider is American. And the provider is the legal target.

The physical location of the data centre is not the same as the jurisdiction the data is governed by. Confusing the two is the most expensive mistake we still see in 2026.

For regulated sectors, this isn't theoretical anymore

For companies serving healthcare, banking, defence or public administration, this is no longer a theoretical debate. It's a legal, contractual and reputational risk.

  • Legal: the GDPR transfer regime, after Schrems II, makes the "default region" approach indefensible for sensitive personal data.
  • Contractual: public-sector framework agreements increasingly include sovereignty clauses. Failing them voids the contract — and often the next one.
  • Reputational: a client who finds out, post-incident, that their data was subject to a foreign jurisdiction they were never told about, doesn't come back.

Sovereignty isn't a European fad

It's a requirement your customers, your auditors or your regulator will ask of you sooner or later. The question is whether you'll be ready for the conversation, or hear about it via a non-compliance letter.

If you don't know where your data is, somebody else does. And they're usually not on your team.

What "sovereign by default" actually looks like

  • European provider, European operating entity. Not a European subsidiary of a US company.
  • Documented data residency at the country level, not just "EU region."
  • Encryption keys managed by you or by an entity outside US jurisdiction.
  • Clear answers on subprocessors: who exactly touches the data, and where do they sit?
  • Audit logs you can actually inspect — not a black box you have to trust.

Where we come in

AP Interactive operates its own infrastructure under autonomous system AS215691, with presence in Madrid, the Netherlands, Germany and New York. For our European customers we keep workloads in European jurisdictions, with documented residency and our own subprocessor chain.

If you don't know exactly where your company's data sits — or if you suspect "Frankfurt region" is the extent of the answer you'd get from your provider — talk to us. We'll map it for you in concrete terms.

← Back to blog Talk to the team →