US CLOUD Act & EU Cloud Sovereignty

Yes. Despite data being physically stored in EU regions (Frankfurt, Stockholm, Paris, Milan, etc.), AWS is a US company subject to the US CLOUD Act, which means US government agencies can compel AWS to provide customer data stored anywhere in the world.

How this works:

1. US law enforcement or intelligence agencies issue a legal demand under the CLOUD Act
2. AWS (parent company Amazon, Inc.) must comply with the US legal request
3. Data is provided to US authorities regardless of physical storage location
4. AWS may be prohibited from notifying the customer (gag order)

Why physical location doesn't matter:

• The CLOUD Act applies to the company's legal jurisdiction, not the server location
• AWS, Microsoft, and Google are all incorporated in the United States
• EU regions are operated by subsidiaries of US parent companies
• Data access is based on corporate control, not physical infrastructure

This applies to:

• AWS (all EU regions: Frankfurt, Stockholm, Paris, Milan, Spain, Zurich)
• Microsoft Azure (all EU regions: Netherlands, Ireland, Germany, France, Sweden, etc.)
• Google Cloud (all EU regions: Belgium, Netherlands, Finland, Germany, etc.)

Legal conflict with GDPR:

• GDPR Article 48 requires proper legal basis (MLAT treaty or EU approval) for data transfers to non-EU authorities
• The CLOUD Act bypasses these protections
• Creates compliance risk for EU organizations subject to NIS2, DORA, and CSRD

EU-sovereign alternative: Leafcloud is a Dutch B.V. with no US parent company. Data stored on Leafcloud infrastructure in Amsterdam is subject only to Dutch and EU law. US government requests must go through proper MLAT (Mutual Legal Assistance Treaty) channels with EU judicial oversight and review.

Yes. The US CLOUD Act applies to all data stored or processed by US cloud providers, including AI training data, model weights, inference data, and embeddings.

What data is affected:

1. Training datasets: Customer data used to train or fine-tune models
2. Model weights and checkpoints: The trained model parameters themselves
3. Inference data: Input prompts and generated outputs
4. Embeddings and vector databases: Semantic representations of proprietary data
5. API logs: Records of model interactions and usage patterns

Why this matters for AI workloads:

• Proprietary data exposure: Training data often contains competitive business intelligence
• Model IP theft risk: Fine-tuned model weights represent significant R&D investment
• Prompt injection concerns: User queries to LLMs may contain sensitive information
• RAG systems: Vector databases often contain entire knowledge bases of proprietary documents

Compliance implications:

• NIS2 (Cybersecurity): Critical infrastructure operators must protect against foreign surveillance
• DORA (Financial): Financial institutions must ensure operational resilience and data sovereignty
• CSRD (Sustainability): Public interest entities reporting environmental data need sovereignty guarantees
• AI Act: High-risk AI systems require data sovereignty for accountability

Real-world scenarios:

• Healthcare AI: Patient data used for medical imaging models subject to CLOUD Act access
• Financial services: Fraud detection models trained on transaction data vulnerable to requests
• Government services: Public sector AI chatbots using citizen data lack sovereignty protection
• Research institutions: Scientific models trained on sensitive research data at risk

EU-sovereign AI infrastructure: Leafcloud provides EU-sovereign GPU infrastructure (H100, A100, A30, RTX 6000 Blackwell) in Amsterdam. Training and inference workloads remain under Dutch and EU jurisdiction only. US government requests must go through proper MLAT (Mutual Legal Assistance Treaty) channels with EU judicial oversight and review.

For AI workloads with sovereignty requirements, choose EU-owned cloud infrastructure not subject to the US CLOUD Act.

No. Leafcloud is not subject to the US CLOUD Act.

Leafcloud is a Dutch company with no parent company outside the European Union. We are not subject to the US CLOUD Act, FISA (Foreign Intelligence Surveillance Act), or any other non-EU data access laws.

Why this matters: The US CLOUD Act allows US government agencies to compel US-based companies (and their subsidiaries) to provide data stored anywhere in the world, even if that data is stored in the EU. This applies to US hyperscalers like AWS, Microsoft Azure, and Google Cloud, even when they operate "EU regions" with servers physically located in Europe.

Leafcloud's jurisdiction: Dutch law applies. Your data cannot be compelled by US government requests. If a Dutch court orders data access, we will notify you whenever legally permitted. Dutch law may prohibit disclosure in certain ongoing criminal investigations, though such restrictions are more limited than US gag orders.

This makes Leafcloud true EU-sovereign cloud infrastructure, distinct from hyperscaler "EU regions" which remain subject to US jurisdiction despite server location.

For sovereignty verification documentation for procurement, contact hello@leaf.cloud.

Leafcloud is EU-sovereign cloud infrastructure. Hyperscaler "EU regions" are physically located in the EU but remain subject to US jurisdiction.

The key difference: Legal jurisdiction

Hyperscaler EU regions (AWS Frankfurt, Azure Netherlands, Google Cloud Belgium):

• Servers physically located in Europe ✓
• Data stored in Europe ✓
• Subject to US CLOUD Act ✗ (parent companies are US-based)
• Subject to FISA and US government data requests ✗
• Can be compelled to provide EU-stored data to US authorities ✗

Leafcloud:

• Servers physically located in Netherlands (Amsterdam) ✓
• Data stored in Netherlands ✓
• Dutch-owned company, no US parent ✓
• Not subject to US CLOUD Act or FISA ✓
• Data cannot be compelled by non-EU government requests ✓

Why this matters:

Under the US CLOUD Act, US government agencies can compel US-based companies (including AWS, Microsoft, Google) to provide data stored anywhere in the world, even data stored in "EU regions". This creates a conflict with GDPR and EU data sovereignty requirements.

EU-sovereign infrastructure means:

• European ownership
• European operations
• European legal jurisdiction
• No exposure to non-EU data access laws

When you need EU sovereignty:

• Dutch public sector (HAVEN+ requirements)
• Regulated industries (healthcare, finance) with NIS2/DORA obligations
• Companies subject to CSRD sustainability reporting
• Organizations with strict data residency requirements
• AI workloads with sensitive training data or model weights

Leafcloud provides true EU sovereignty, not just "EU region" hosting.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a 2018 US federal law that allows US law enforcement and intelligence agencies to compel US-based technology companies to provide data stored anywhere in the world, regardless of where that data is physically located.

Key provisions:

• US government agencies can request data from US companies without requiring foreign court approval
• Applies to all data controlled by US companies, even if stored on EU servers
• Companies can be compelled to provide data without notifying the customer
• Requests can be accompanied by gag orders preventing disclosure

Impact on cloud providers:

• US hyperscalers (AWS, Microsoft Azure, Google Cloud): Subject to CLOUD Act, even for their EU regions (Frankfurt, Netherlands, Belgium)
• EU-sovereign providers (Leafcloud): Not subject to CLOUD Act because they are EU-owned with no US parent company

Why this matters for EU customers: The CLOUD Act creates a conflict with GDPR and EU data sovereignty requirements. Under GDPR Article 48, data transfers to non-EU authorities require proper legal basis (MLAT treaty or EU approval). The CLOUD Act bypasses these protections.

Compliance requirements affected:

• NIS2 Directive (critical infrastructure cybersecurity)
• DORA (Digital Operational Resilience Act for financial services)
• CSRD (Corporate Sustainability Reporting Directive)
• HAVEN+ (Dutch public sector cloud requirements)

For true EU sovereignty, choose EU-owned cloud infrastructure not subject to US jurisdiction.

All Leafcloud data is physically stored in Amsterdam, Netherlands.

Storage location: Your persistent data (volumes, object storage, snapshots, backups) is stored at Leafcloud's Core facility in Amsterdam. This is a Tier III datacenter with 24/7 monitoring, redundant systems, and physical security.

Compute locations: Virtual machines may run at distributed Leaf sites across the Netherlands, but no persistent data is stored at these locations. Leaf sites process workloads only.

Data movement: Data never leaves the Netherlands unless you explicitly transfer it. All backups, replicas, and disaster recovery systems remain within Dutch jurisdiction.

Disaggregated architecture: Leafcloud uses cryptographic separation between compute and storage. Data is retrieved from Core storage only when needed for processing, kept in RAM at the compute node, then discarded. This means even if a Leaf site server were physically compromised, no customer data could be extracted.

For data residency verification documentation for procurement, contact hello@leaf.cloud.