You have signed a SaaS contract. Your data is hosted in Europe. You have ticked the RGPD box. You think you are protected. You're probably not. The Cloud Act is a discreet US law, rarely mentioned in terms and conditions, yet capable of rendering most of your compliance efforts null and void. Here's what your provider isn't telling you, and what you need to know before you renew your subscription.
What the Cloud Act really is and what it isn't
The Cloud Act is one of the most misunderstood pieces of legislation in Europe's digital landscape. Often presented as a distant or theoretical threat, In reality, it is a precise legal mechanism that can be activated at any time and whose effects extend far beyond American borders. Before we can understand what it means for your organisation, we need to demystify what it really is.
An extraterritorial law, not a legal bug
Adopted in 2018, the Cloud Act (Clarifying Lawful Overseas Use of Data Act) allows the American authorities (FBI, DOJ, federal agencies) to require an American company to hand over data stored on its servers, regardless of the country where these servers are physically located. It's not a loophole, it's not an abuse. It is the law, as voted and promulgated.
In concrete terms: if you use Microsoft 365, Google Workspace, Salesforce, HubSpot, Slack or AWS, to name but a few of the most popular , your data may be accessible to the US authorities, even if they are hosted in an Irish or German data centre. The geographical location of servers does not provide sufficient legal protection if the company operating them is incorporated in the United States.
What “hosted in Europe” really means
The sales pitches of the major US SaaS vendors have incorporated the sovereignty argument with remarkable skill. “Your data remains in Europe” has become a standard sales argument displayed on compliance pages, highlighted during sales calls, integrated into DPAs (Data Processing Agreements).
What this formulation carefully omits: hosting in Europe does not mean being subject exclusively to European law. An American company that hosts your data in Dublin remains subject to the Cloud Act. It may be forced to respond to a US injunction without even having a legal obligation to inform you. The RGPD and the Cloud Act coexist, and in the event of conflict, there is no mechanism that automatically guarantees the primacy of European law.
What your SaaS contract really says and how to read it
The majority of organisations sign their SaaS contracts without having read the clauses concerning the requests for access from the authorities. This is not negligence: these clauses are drafted in such a way as to be technically accurate while remaining virtually invisible. Learning to spot them is a skill that can save you from major surprises.
Clauses to look for and their actual translation
In any SaaS contract with a US publisher, there are three types of clause that deserve particular attention. First, clauses, the Law Enforcement Requests These specify the conditions under which the supplier may pass on your data to a third-party authority. Look for wording such as “as required by applicable law” they implicitly include the Cloud Act. Secondly, notification clauses: some contracts stipulate that the customer must be informed in the event of a request for access, while others explicitly exclude this obligation when the law prohibits it. Thirdly, Jurisdiction clauses: these determine which law governs the contract and therefore which law takes precedence in the event of a dispute.
A contract stipulating that the applicable law is that of the State of California or the State of New York offers no protection against Cloud Act, regardless of the location of your data.
The questions your supplier doesn't want to hear
Asking these questions directly to your account manager often creates an uncomfortable silence, which is already information. Here's what you need to ask explicitly, in writing, before any renewal or new subscription.
Is the company subject to US law (subject to US jurisdiction) ? Has it already received requests for access under the Cloud Act? - and if so, how much? Does the contract include an obligation to notify in the event of a request for access to your organisation's data? What is the average time between receipt of an injunction and transmission of the data? ?
If your supplier is unable to answer these questions, or if their answers are evasive, you have your answer.
What you can actually do
Understanding the problem is one thing. Knowing what to do about it is another. The good news is that there are realistic options for significantly reduce your exposure to Cloud Act, Without necessarily re-architecting everything overnight.
Mapping your data by level of sensitivity
The first step is not to change the tool - it's to know what you have and where it is. Not all your data presents the same level of risk. Public data, marketing communications, anonymised analytics - their exposure to the Cloud Act has few practical consequences. On the other hand HR data, customer data, financial data, strategic information or health data deserve radically different attention.
Mapping your data by level of sensitivity enables you to establish a differentiated policy The aim is to retain certain American tools for non-critical uses, while migrating sensitive data to sovereign solutions for high-risk processing.
Know your sovereign alternatives
There are now credible alternatives for the majority of SaaS tool categories exposed to the Cloud Act. For messaging and collaboration Tchap (French administration), Cryptpad, or self-hosted instances of open source solutions. For storing and sharing files Nextcloud hosted by OVHcloud or Scaleway. For customer relationship management European solutions such as Sellsy or on-premise deployments. For generative AI These include Infomaniak's Euria, Mistral's Le Chat Pro, and locally hosted open source models.
Migration does not have to be total to be useful. Reducing the exhibition area, Even partial compliance is a realistic and defensible approach.
Do you have any doubts about your exposure? Iterates can help
Most organisations only become aware of their exposure to the Cloud Act when a compliance issue becomes urgent - during a public tender, a sector audit, or a request from a demanding customer. Waiting until that moment to act is taking an unnecessary risk.
Iterates helps organisations to audit their SaaS stack, identify the data at risk, and define a sovereign roadmap tailored to their context. No ideological rhetoric, no forced migration: factual analysis and informed choices. That's what you deserve before you sign the next renewal.
