← Back to all articles
This article is not yet available in your language. Showing the English version.

EU data sovereignty for compliance documents: why jurisdiction matters when you cannot delete the file

SealDoc Team · · 7 min read

Data sovereignty is one of those topics that generates more heat than light. It is sometimes framed as protectionism dressed up in legal language, and sometimes as a genuine governance concern. In the context of day-to-day application data, the distinction is often academic.

For compliance-sensitive documents — invoices with 7-year retention requirements, contracts subject to legal hold, regulatory submissions that cannot be altered or deleted — the distinction is not academic. It has legal consequences.

This article makes a specific argument: when you cannot delete a document, where it lives matters more than usual, and “where” means jurisdiction, not just geography.

The standard data residency argument

The most common argument for EU-hosted infrastructure is GDPR compliance: personal data should not leave the European Economic Area without adequate safeguards. This is a real requirement, and for applications processing personal data it is important.

But it is not the strongest argument for keeping compliance documents in Europe. The GDPR argument applies to data that may or may not contain personal data. Compliance documents often do contain personal data, but that is almost secondary to the core question.

The stronger argument is about what happens to documents that you are legally required to retain and legally unable to delete.

Retention law and the problem of infrastructure access

EU invoice retention requirements are typically 7 years. Dutch public sector records under the Archiefwet can require 20-year retention. These are not soft guidelines. Failing to retain the required records exposes organisations to tax penalties, loss of VAT deduction rights, and regulatory sanctions.

The flip side of retention requirements is that the retained documents cannot be deleted during the retention window. Documents subject to legal hold cannot be deleted at all until the hold is lifted.

This creates an unusual situation from an infrastructure perspective: you have data you are legally required to keep, that you may be legally prohibited from deleting, stored on infrastructure controlled by a third party. The question is: who else has access to that data, under what legal authority, and what can they do with it?

The CLOUD Act question

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law, enacted in 2018, that allows US law enforcement agencies to compel US companies — including cloud providers — to produce data stored on their servers, regardless of where those servers are physically located.

The practical effect: a European company’s data stored on US hyperscaler infrastructure can in principle be accessed by US law enforcement without notifying the European company, subject to the procedural requirements of the CLOUD Act.

For most data, this is a theoretical concern. The volume of routine business data that actually becomes subject to CLOUD Act requests is small, and the procedures for obtaining such data are not trivial.

For compliance documents, the calculus is different for two reasons.

First, compliance documents often relate to the most commercially sensitive aspects of a business: supplier pricing, customer terms, contract values, regulatory filings. These are documents that competitors and governments with trade interests might actively want access to.

Second, retention requirements mean the data exists for long periods. A CLOUD Act request in year 5 of a 7-year retention window operates on data that is by definition material to ongoing business operations.

The CLOUD Act does not mean that using US hyperscaler infrastructure is illegal or that data will routinely be accessed. It means the legal framework creating that possibility applies, and the cloud provider has limited ability to resist a valid legal order. The risk profile is different from EU-only infrastructure.

What “EU sovereign” means in practice

“EU sovereign” is used loosely in marketing, and it is worth being precise about what it requires.

At minimum, EU sovereign infrastructure means:

All data remains within the European Economic Area. Not just the primary region — backups, disaster recovery, and any replication must also stay within the EEA. Cross-border data transfers to non-EEA jurisdictions require either an adequacy decision (which can be revoked) or binding appropriate safeguards.

The infrastructure operator is not subject to extra-EU data access laws for the relevant data. This means the operator is not a US company or subsidiary that would be subject to CLOUD Act obligations for the data you store with them. EU-based companies with no US corporate structure are not subject to the CLOUD Act.

Physical access controls are under EU jurisdiction. Datacenter operations are subject to EU law, not the law of the jurisdiction where the hyperscaler is incorporated.

There is no dependency on US-origin infrastructure that could be used to access the data. Using a European datacenter for primary storage while routing all traffic through a US-origin CDN, or relying on US-origin key management infrastructure, reintroduces jurisdictional dependencies through the back door.

True sovereignty is not about the flag on the building. It is about the legal framework governing who can access the data and under what circumstances.

Why this matters specifically for documents you cannot delete

Return to the original observation: compliance documents have retention requirements. They cannot be deleted during the retention window.

Now combine this with the sovereign infrastructure question. A document stored on non-EU infrastructure under a non-EU legal framework, that you cannot delete for 7 years, is a document whose access profile you cannot fully control for 7 years.

For an invoice with standard retention requirements, this may be an acceptable risk. For a contract with a sensitive pricing structure, a regulatory submission, or documents subject to legal hold in an ongoing dispute, the risk profile is different.

The inability to delete the document also means you cannot mitigate the exposure by removing the data. With cloud object storage operating under COMPLIANCE mode object lock, you are by design committed to the document’s existence for the retention period. The choice of jurisdiction is therefore not easily reversible once the lock is applied.

The on-premises option

For organisations where data sovereignty is a hard requirement — not a preference but a legal or contractual obligation — on-premises deployment is the most complete solution.

On-premises deployment places the data entirely within the organisation’s own infrastructure, under its own security controls, with no dependency on external cloud providers. The jurisdictional question becomes: what laws apply to the organisation’s own infrastructure? For EU organisations operating within the EU, the answer is EU law.

On-premises deployment comes with operational costs: the organisation is responsible for availability, backup, disaster recovery, and capacity planning. But for regulated entities where data residency is a compliance requirement, these costs are typically already accepted as part of the baseline security architecture.

BYOS — bring your own S3-compatible storage — is a middle option. The application layer remains a service, but the organisation’s own storage bucket, operating within the organisation’s own cloud account under the organisation’s chosen jurisdiction, holds the data. The application provider does not hold the documents; it processes them and writes them to the organisation’s bucket.

The practical question for compliance teams

The question for compliance teams evaluating document infrastructure is not whether EU sovereignty is nice to have. It is whether the legal and risk requirements of the documents being stored — retention obligations, legal hold procedures, regulatory sensitivity — require it.

For routine documents with standard 7-year retention, the risk from US hyperscaler dependency may be acceptable. Many organisations make that tradeoff and it rarely causes problems.

For documents subject to legal hold, long retention windows, high commercial sensitivity, or explicit data residency requirements in regulated industry frameworks, the question is worth asking seriously before the infrastructure decision is locked in.

Once the object lock is applied and the retention clock is running, the jurisdiction question becomes harder to revisit.

SealDoc runs on EU infrastructure in ISO 27001-certified European datacenters with no US hyperscaler dependency. On-premises deployment and BYOS are available for organisations with explicit data residency requirements.

← Back to all articles