Your data is in the cloud. Which cloud, which country, under which law?
Compliance & Cloud

Your data is in the cloud. Which cloud, which country, under which law?

"We're in the cloud."

It's the answer almost every mid-size company gives now when asked where their infrastructure lives. Sometimes with pride. Sometimes with relief. Almost never with detail.

So let's add the detail. Which cloud? Which country? Under which law?

"In the cloud" usually means three or four words you didn't read

For most companies, "we're in the cloud" decodes to: "We're on AWS, Azure or Google Cloud. Default region. We never asked any deeper question."

That's fine for a marketing site. It's not fine for customer data in regulated sectors. And the moment you sign your first contract with a client in healthcare, banking, defence, or public administration, "fine for marketing" stops being acceptable.

The Cloud Act in two paragraphs

The US Cloud Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US authorities to require US-based providers — Amazon, Microsoft, Google and anyone subject to US jurisdiction — to hand over data they hold or process, regardless of where the servers are physically located.

In plain English: contracting the "Frankfurt" region of AWS does not protect you from a court order issued in Washington. The data is in Europe, but the provider is American. And the provider is the legal target.

The physical location of the data centre is not the same as the jurisdiction the data is governed by. Confusing the two is the most expensive mistake we still see in 2026.

For regulated sectors, this isn't theoretical anymore

For companies serving healthcare, banking, defence or public administration, this is no longer a theoretical debate. It's a legal, contractual and reputational risk.

  • Legal: the GDPR transfer regime, after Schrems II, makes the "default region" approach indefensible for sensitive personal data.
  • Contractual: public-sector framework agreements increasingly include sovereignty clauses. Failing them voids the contract — and often the next one.
  • Reputational: a client who finds out, post-incident, that their data was subject to a foreign jurisdiction they were never told about, doesn't come back.

Sovereignty isn't a European fad

It's a requirement your customers, your auditors or your regulator will ask of you sooner or later. The question is whether you'll be ready for the conversation, or hear about it via a non-compliance letter.

If you don't know where your data is, somebody else does. And they're usually not on your team.

What "sovereign by default" actually looks like

  • European provider, European operating entity. Not a European subsidiary of a US company.
  • Documented data residency at the country level, not just "EU region."
  • Encryption keys managed by you or by an entity outside US jurisdiction.
  • Clear answers on subprocessors: who exactly touches the data, and where do they sit?
  • Audit logs you can actually inspect — not a black box you have to trust.

Where we come in

AP Interactive operates its own infrastructure under autonomous system AS215691, with presence in Madrid, the Netherlands, Germany and New York. For our European customers we keep workloads in European jurisdictions, with documented residency and our own subprocessor chain.

If you don't know exactly where your company's data sits — or if you suspect "Frankfurt region" is the extent of the answer you'd get from your provider — talk to us. We'll map it for you in concrete terms.

Frequently asked questions

Does storing data in an AWS Frankfurt region protect it from US law?

No. The US Cloud Act lets US authorities require US-based providers — Amazon, Microsoft, Google and anyone under US jurisdiction — to hand over data they hold or process, regardless of where the servers are physically located. The data may sit in Frankfurt, but the provider is American, and the provider is the legal target of the order.

What does "sovereign by default" actually require?

It means a European provider with a European operating entity (not just a European subsidiary of a US company), documented data residency at country level, encryption keys managed by you or an entity outside US jurisdiction, clear visibility into subprocessors, and audit logs you can actually inspect rather than a black box.

Why does data sovereignty matter for regulated sectors specifically?

For healthcare, banking, defence and public administration, sovereignty is a legal, contractual and reputational risk, not a theoretical one. The GDPR transfer regime after Schrems II makes "default region" indefensible for sensitive personal data, public-sector framework agreements increasingly carry sovereignty clauses, and clients who learn post-incident that their data sat under an undisclosed foreign jurisdiction tend not to return.