"Our data is hosted in Europe, so we're fine."
It's the sentence we hear most often in meetings — from CIOs, DPOs, legal departments. It's reassuring, it often appears in black and white in the vendor's sales documentation. And it's wrong.
What the Cloud Act actually says
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) is a US law that allows American authorities to require a provider subject to US jurisdiction to hand over data it holds or controls, wherever in the world that data is stored.
The criterion is not geographic. It is legal:
- The question is not "where are the servers?"
- The question is "who operates the service, and under which law?"
A datacenter in Paris, Frankfurt or Dublin operated by an American provider — or by its European subsidiary — remains within the reach of US law. The location of the hard drive does not change the nationality of the legal obligation.
"But we signed a DPA" — why the contract is not enough
The classic objection: "our contract says the data stays in Europe, we have a DPA, standard contractual clauses, a certification."
A DPA governs a commercial relationship between two private parties. It does not override a law. If a US authority serves a valid order on a provider subject to its jurisdiction, the provider must comply — the contract signed with you changes nothing, and in some cases the provider is not even allowed to inform you (gag order).
This is the point that much sales documentation keeps deliberately vague: contractual localization commitments are real and useful, but they are a commercial protection, not a structural one.
GDPR and the Cloud Act are in fact in head-on tension: what one prohibits (uncontrolled transfers to a third country), the other can require. The client company is caught in the middle.
Who is concerned, concretely
If your usage is limited to public or trivial data, this debate is theoretical. It stops being theoretical as soon as you handle:
- professional secrecy (lawyers, notaries, accountants),
- health data (patient records),
- M&A files and non-public financial data,
- HR data and ongoing litigation,
- regulated data (defense, critical infrastructure, public sector).
For these categories, the question "who operates the infrastructure and under which law?" is not a legal footnote. It is an audit criterion, an insurer requirement, and increasingly a question your own clients ask.
The special case of AI: your prompts are data
The topic becomes critical with generative AI, for a simple reason: a prompt is often more sensitive than a file.
When an employee asks an AI assistant to "summarize this shareholders' agreement" or "analyze this report before the board meeting", they transmit in a single request what an attacker would take weeks to assemble: the document, the context, the intent. If that assistant is operated by a provider subject to the Cloud Act, all of that material falls within the scope described above — even if the inference server is physically in Europe.
This is true for consumer tools used as shadow AI, but also for "enterprise" deployments whose operator remains American.
The only structural protection: data that never leaves
There are only two robust answers to the Cloud Act, and they come down to the same principle: taking your data out of its scope. This is also the logic behind the French cybersecurity agency's SecNumCloud qualification, which explicitly requires immunity from extraterritorial laws and European capital control.
1. A European operator, end to end. A provider incorporated under French or European law, hosted on a European cloud (OVHcloud, Scaleway…), with no American parent company in the chain. US law then has no point of leverage.
2. On-premise. The software runs on your own servers, inside your perimeter. There is simply no third-party provider to serve an order on: your prompts, documents and meetings pass through no one.
This is the architecture of Eridia: a French operator, a platform deployed on your infrastructure or hosted in France, open-source models running inside your perimeter via Ollama or vLLM in a 100% sovereign configuration. French operator, French hosting, French law — the protection holds by construction, not by contract.
Three questions for your next board meeting
Before deciding on an AI tool, ask your vendor these three questions — each answer fits on one line:
- Which legal entity operates the service, and under which law? (Including the parent company.)
- Where do the AI models run, and who operates that infrastructure? (The interface can be European while inference is American.)
- Can you demonstrate that no data leaves our perimeter? (Logs, architecture, on-premise deployment available.)
If any of these answers is vague, you have your answer.
And if you want to check where you stand, we offer a free diagnostic of your AI data flows — who operates what, under which law, and what should move.



