Choosing an AI provider that hosts "in Europe" is not enough to protect your data from US law. If the company operating the service falls under United States jurisdiction, a 2018 law (the CLOUD Act) requires it to hand over to US authorities the data it holds, wherever that data is stored. The location of the server changes nothing. What matters is the nationality of the company that controls it.
This is the blind spot in most of the sovereignty promises being sold today.
The Clarifying Lawful Overseas Use of Data Act allows the US justice system to require a provider subject to US law to hand over data it holds or controls, including when that data is physically stored outside the United States. The location of the datacenter is irrelevant. What the US justice system looks at is who holds or controls the data, not where it is stored.
In practice: a European subsidiary of a US group, or a service operated by a US company from a Paris datacenter, remains within scope. The server address is a reassuring sales argument, but it protects you from nothing in legal terms.
The "your data stays in Europe" argument rests on a confusion between two different things:
The GDPR governs the former. The CLOUD Act targets the latter. European hosting operated by an entity under US law ticks the "residency" box while leaving the "control" box in foreign hands. The two regimes can then collide: you are asked to comply with the GDPR on the European side while a US court order demands the same data on the other side.
For an AI use case, this is far from theoretical. Everything your teams type into a cloud assistant (a contract, a patient file, proprietary code, customers' personal data) passes through the provider's infrastructure. If that provider falls under US law, this flow is within scope.
Three profiles have a direct interest in looking at this closely:
If you recognize yourself here, the issue is not so much finding a European host as knowing who, at the end of the chain, can be compelled to hand over your data.
To leave the scope of the CLOUD Act, you have to leave behind any dependence on an operator subject to US law. There are several levels for this, and it is honest to distinguish between them.
A European operator takes you out of the CLOUD Act. A provider whose parent company falls under an EU country (OVHcloud, Scaleway, or a SecNumCloud-qualified offering) is not bound by a US court order: it is not the right judge who signs it. This is already real progress compared to a US service hosted in Paris, and for many organizations it is enough. The fact remains that you still depend on a provider: it holds part of the keys, it runs the service, and it can go bankrupt, change its prices, or be the target of other proceedings. The US risk, however, is gone.
Self-hosting removes the provider itself. If the AI runs on your own server, with your keys, you alone hold and control the data. No court order has any hold, from wherever it comes, for lack of a recipient. This is the only case where you no longer have to trust a provider, for the simple reason that there is none.
This is exactly the principle on which Gungnir, our sovereign AI assistant, is built: it installs on your infrastructure, your conversations and documents never leave it, and you choose the models you connect to it. Sovereignty here is not an argument printed on a brochure: it follows directly from the way the product is built.
This site applies the same rule: no cookies, no trackers, no requests to any third-party service. You can check it for yourself.
If the confidentiality of what you entrust to an AI really matters to you, stop asking "where is my data stored?". Ask instead "who other than me can be compelled to hand it over?". As long as the answer is not "no one", you are not safe.
No. The CLOUD Act targets providers subject to US law, regardless of the place of storage. A service operated by a US company from a French datacenter remains within its scope. It is control that matters, not the server address.
The GDPR governs the processing of personal data, but it does not cancel the obligation placed on a provider under US law to respond to a US court order. The two regimes can come into conflict, and it is the provider that ends up stuck, not you.
To a large extent. An operator whose parent company is European is not bound by a US court order, which takes you out of the CLOUD Act. You are left with a dependence on a third party (keys, operation, longevity), but the US legal risk, for its part, disappears.
With self-hosting, there is no third party at all: the AI runs on your server, with your keys. No court order, from any country, has a recipient. This is the only level where sovereignty no longer depends on the trust placed in a provider.
