Enterprise

Your data is in US hands — whether you chose that or not.

Most enterprise infrastructure runs on Microsoft, Google, or AWS. Under the CLOUD Act, US authorities can access that data — regardless of where it's stored, and without informing you.

Talk to enterprise sales → Request a briefing
No US jurisdiction Self-hosted or air-gapped GDPR Article 48 compliant
2018
Year the CLOUD Act was signed into US law — giving authorities global reach over American cloud providers
€20M
Maximum GDPR fine for a single violation — the penalty for complying with a US data warrant without prior authorisation
0
Legal mechanisms allowing a US warrant to override GDPR Article 48 — the conflict has no lawful resolution
3x
More likely for enterprise IP theft to originate from cloud-hosted communications than on-premises infrastructure
The five risks

Why your current stack is a liability

Every enterprise running on US-controlled cloud infrastructure faces these risks — today, not hypothetically.

Extraterritorial reach

The CLOUD Act gives the US access to your data everywhere

The Clarifying Lawful Overseas Use of Data Act (2018) compels US-based cloud service providers to hand over data upon request — regardless of which country that data sits in. Storing your data in a Frankfurt data centre hosted by Microsoft Azure provides no legal protection against a US warrant. The physical location of the server is irrelevant when the provider is a US entity.

US CLOUD Act, 18 U.S.C. § 2713
Legal catch-22

Complying with a US warrant means violating GDPR

GDPR Article 48 prohibits the transfer of EU personal data to foreign authorities unless authorised by an EU-recognised legal instrument — and a US CLOUD Act warrant is not one. If your cloud provider discloses your data in response to a US government request, you are simultaneously subject to GDPR enforcement for the unlawful transfer. There is no legal path out of this conflict under current law.

GDPR Article 48 · Schrems II, Case C-311/18
Data sovereignty

You no longer control who can access your own data

True data sovereignty means your organisation — and only your organisation — decides who accesses your information. Once your data resides with a US cloud provider, that sovereignty is transferred. A foreign government can initiate access without your knowledge, without your consent, and without informing your local data protection authority. Your legal team will not be notified. Your DPO will not be informed.

GDPR Article 5(1)(f) · Article 32
Industrial espionage

Intellectual property stored in US clouds is exposed

M&A strategies, legally-binding contracts, pending patents, board-level communications — all of it passes through Microsoft Teams, Google Meet, or Zoom. These platforms store metadata, recordings, and transcripts in US-jurisdictional infrastructure. Any legally privileged document, negotiation, or strategic communication transmitted over these platforms is subject to interception under CLOUD Act orders or broader intelligence gathering frameworks including FISA Section 702.

FISA Section 702 · EO 12333
Geopolitical exposure

US policy shifts can disconnect your business overnight

Enterprises operating across multiple jurisdictions have discovered that US cloud dependency is not merely a privacy risk — it is an operational risk. American sanctions regimes, executive orders, and geopolitical decisions have resulted in companies being disconnected from their cloud infrastructure with little notice. When your communications, storage, and collaboration platform is controlled by a US entity, your business continuity is subject to Washington's foreign policy agenda.

OFAC Sanctions · BIS Export Controls
Video conferencing

Every call on Teams, Zoom, or Meet is US-jurisdictional data

Video conferencing platforms operated by US companies — Microsoft Teams, Zoom, Google Meet, Cisco Webex — route, store, and process communications through US-controlled infrastructure. Meeting recordings, transcripts, participant metadata, and content shared during calls are stored under US jurisdiction. For enterprises discussing commercially sensitive matters, regulatory decisions, or legally privileged information, this represents a structural and unmitigable risk.

US CLOUD Act · GDPR Article 48
The irresolvable conflict

US law vs. EU law — your enterprise is caught in the middle

There is no compliant way to use US cloud infrastructure for sensitive EU enterprise data. The laws are structurally incompatible.

US CLOUD Act

Compels disclosure

US cloud providers must hand over data stored anywhere in the world when served with a valid US government order. Refusal is not an option. The provider is not required to notify the data subject. EU location of the data is irrelevant.

  • Applies to all US-incorporated entities globally
  • Override cannot be blocked by GDPR
  • Data subject has no right to be informed
  • No EU court can intervene
VS
GDPR Article 48

Prohibits disclosure

EU personal data cannot be transferred to a foreign government or law enforcement authority unless through an approved legal instrument — such as a mutual legal assistance treaty (MLAT). A US CLOUD Act warrant does not qualify. Compliance exposes the data controller to fines of up to €20M or 4% of global annual turnover.

  • Applies to all data controllers processing EU personal data
  • Foreign warrants do not constitute a lawful basis
  • MLAT process required — takes months to years
  • Schrems II reinforced the prohibition in 2020
Exposed platforms

Every tool your enterprise depends on

These platforms are essential to enterprise operations — and every one of them is subject to US jurisdiction.

Microsoft 365 & Teams
US Jurisdiction

Microsoft confirmed in 2022 that EU customer data stored in EU data centres can still be accessed by US authorities under the CLOUD Act. Azure, Exchange, SharePoint, and Teams all fall within scope.

Google Workspace & Meet
US Jurisdiction

Google LLC is a US entity. All data processed through Gmail, Drive, Docs, and Meet — regardless of regional data residency settings — is subject to CLOUD Act compelled disclosure orders.

Zoom
US Jurisdiction

Zoom Video Communications is headquartered in San Jose, California. Meeting recordings, transcripts, chat logs, and participant data are stored in US-jurisdictional infrastructure by default.

Cisco Webex
US Jurisdiction

Cisco Systems is a US corporation. Webex meeting data, recordings, and collaboration content — including Webex Teams messages — are subject to US government data access requests.

Slack
US Jurisdiction

Slack Technologies is a US-incorporated entity, now owned by Salesforce. All workspace messages, files, and integrations are governed by US law and can be compelled under CLOUD Act orders.

Amazon Web Services
US Jurisdiction

AWS is a division of Amazon.com Inc., a US entity. Data hosted in AWS EU regions, including Frankfurt and Dublin, remains accessible to US authorities via CLOUD Act compelled disclosure.

Frequently asked

Questions from enterprise legal & compliance teams

Does storing data in an EU data centre protect us from the CLOUD Act?+
No. The CLOUD Act applies to US-incorporated entities regardless of where their data centres are physically located. Microsoft's Frankfurt data centre, Google's Dublin facility, and AWS's EU regions are all operated by US legal entities. The physical location of the server is irrelevant — what matters is the legal identity of the provider. EU data residency settings offered by these vendors are a marketing distinction, not a legal protection.
Can we contractually prevent our cloud provider from disclosing data under the CLOUD Act?+
No. Contractual provisions cannot override statutory obligations imposed by US law. Even if a vendor includes data protection commitments in a Data Processing Agreement, those commitments do not change the provider's legal obligation to comply with a CLOUD Act order from a US court. Several major cloud providers have confirmed this publicly — they are legally required to comply, irrespective of what their contracts say.
What happens if our cloud provider discloses data without notifying us?+
CLOUD Act orders are often accompanied by gag orders preventing the provider from notifying the data subject. This means your organisation may never know a disclosure occurred. From a GDPR perspective, this creates a serious problem: you cannot fulfil your Article 33 and 34 obligations to report a data breach to your supervisory authority and affected individuals if you are unaware the disclosure took place. The privacy violation is silent and invisible.
Are video conference recordings treated differently from other data?+
No — video recordings, transcripts, and meeting metadata are treated as data held by the service provider and are fully subject to CLOUD Act compelled disclosure. For enterprises, this is particularly acute: board meetings, M&A discussions, legal strategy sessions, and regulatory briefings conducted over Teams, Zoom, or Webex generate recordings that are stored and accessible under US jurisdiction. Many enterprises treat this risk as equivalent to leaving a recording device in a meeting room with an open line to a foreign government.
What is the AMVLET solution for enterprise clients?+
AMVLET provides enterprise-grade sovereign communications infrastructure that operates entirely outside US jurisdiction. Deployments are self-hosted within your chosen country, on your own hardware or on a non-US cloud provider you control. No data transits or is stored on US-controlled infrastructure. Communications are end-to-end encrypted with keys held exclusively by your organisation. AMVLET's .PRO Enterprise and .PRO Sovereign tiers are designed specifically for organisations that cannot accept the legal and operational risks of US cloud dependency.

Move your enterprise outside US jurisdiction.

Talk to our enterprise team about a sovereign communications deployment tailored to your legal, operational, and security requirements.

Talk to enterprise sales → Request a confidential briefing