Your cloud contract says your data is stored in the EU. Frankfurt, Amsterdam, Dublin — pick a region, get a compliance badge. Here is the uncomfortable part: for a US provider, the storage location is not the question that matters.

What the CLOUD Act actually says

The Clarifying Lawful Overseas Use of Data Act, passed in 2018, is short and blunt. A provider subject to US jurisdiction must produce data in its “possession, custody, or control” when US authorities lawfully demand it — regardless of where that data is stored. An EU region setting changes the latency of your queries. It does not change the reach of the statute.

This is not a loophole or an edge case. It is the explicit purpose of the law: it was written to end the argument that data stored abroad was out of reach.

The admission under oath

For years, the standard vendor answer was reassurance: transfers are exceptional, safeguards apply, sovereignty clauses protect you. Then, in June 2025, the question was put directly to Microsoft France in a hearing before the French Senate: can you guarantee that French citizens’ data will never be transmitted to US authorities without the agreement of French authorities?

The answer, given under oath, was that no such guarantee could be made.

That is not a scandal about one vendor. It is the honest answer, and every US-jurisdiction provider would have to give the same one. The witness deserves credit for saying plainly what the contracts obscure.

”But we have an EU sovereignty offering”

Sovereign cloud offerings are real products and they reduce real risks: local operations staff, EU-based support, contractual commitments about routine data handling. What they cannot do is amend a US statute. As long as the entity that controls the infrastructure is subject to US jurisdiction, the CLOUD Act question stays open — and the honest vendors admit exactly that when asked under oath.

For most workloads, this is a tolerable risk. Marketing assets, public documentation, replaceable operational data — the CLOUD Act is not a reason to move your website.

When it stops being tolerable

The calculation changes when the documents are the business:

For this class of documents, the EU’s own machinery adds pressure from the other side: Schrems II made transfer assessments mandatory, and a transfer to a US-jurisdiction provider is precisely what a DPO has to assess, document and defend.

The shortest path out

There are two honest ways to close the question.

The first is to do the full legal work: transfer impact assessments, supplementary measures, encryption schemes where you hold the keys, and a standing review as the case law moves. Serious companies do this. It is expensive, it never quite finishes, and the residual risk never reaches zero — because the statute is still there.

The second is architectural: keep the documents inside your building. Data that never leaves your premises never crosses a border, is never in a US provider’s “possession, custody, or control,” and never needs a transfer assessment — because there is no transfer. The entire class of problem is removed rather than mitigated.

This is the reasoning behind Perimeter: an AI appliance that reads your documents and answers with sources, on a box in your server room, with zero external calls. Not because clouds are useless — because for some documents, the only defensible answer to “who can reach them?” is “no one outside these walls.”

Your IT lead or DPO can check the architecture without us in the room: the security brief is written for exactly that review.