Cloud storage without US sub-processors
European cloud-storage services verified to run with no US sub-processors — compared on ownership, hosting region, CLOUD Act exposure and sub-processor chain.
The cloud-storage services listed here operate with no US sub-processors in the data path — an EU/EEA/Switzerland operator with no US parent and no US-incorporated processor handling file data. kDrive by Infomaniak (Switzerland, Geneva — own Swiss data centres, ISO 27001) and luckycloud (Germany, Berlin — zero-knowledge encryption on its own German hardware) are the strongest fully-managed options; Nextcloud (Germany, Stuttgart) is the open-source standard, clean as a managed EU service or self-hosted. In cloud storage the exposure usually re-enters through a US CDN in front of the service, an S3-compatible object layer or the operator's US parent — which is why each listing records the full chain, not just where the servers sit.
Cloud storage without US sub-processors, as listed on this page, means the operating company is incorporated in the EU, EEA or Switzerland, has no US parent in its ownership chain, and routes no file data through a US-incorporated processor at any point in the stack. That is a chain of three facts — operator incorporation, ultimate ownership and the full sub-processor list — and all three must hold. A storage service that keeps files on German servers but fronts them with a US CDN, or an EU brand owned by a US group, does not clear the bar.
This page lists the cloud-storage services in our directory that meet this test, benchmarked on the criteria a buyer evaluates: hosting region, ownership signal, CLOUD Act exposure and the sub-processor chain. Cloud storage is one of the categories where genuinely clean European options exist at depth — operators running their own data centres in Germany, Switzerland, Norway and Slovenia — so the strict bar still leaves real choice, from consumer-friendly managed drives to self-hosted open-source platforms. Every entry is sourced to the vendor's public sub-processor documentation and re-verified quarterly.
The CLOUD Act extends US government reach to data held by any company subject to US jurisdiction, regardless of where the servers physically sit. In cloud storage the primary application and the physical disks are often genuinely European, which can create a false sense of completeness. The exposure typically re-enters one level up or one level down: a US content-delivery network terminating TLS in front of the service, an S3-compatible object layer operated by a US-incorporated provider underneath the branded front-end, a US transactional-email relay sending share notifications, or analytics SDKs reporting usage to a US parent.
File storage also concentrates more raw, unprocessed business content than almost any other SaaS category — contracts, financials, HR documents, source material — so a single reachable processor in the chain exposes a wider cross-section of an organisation's data than, say, a scheduling tool. This is why the directory records ownership and sub-processors as separate, evidenced signals rather than inferring one from the other, and why several services here additionally offer zero-knowledge, client-side encryption: it narrows what any processor could hand over, though it does not change the jurisdictional analysis itself.
-
kDrive (Infomaniak)
Swiss kDrive cloud (Infomaniak, Geneva, since 1994), own Swiss DCs, ISO 27001 + B Corp 2025, district-heating heat recycling.
Public DPA Sub-processors Open sourceEU-SOVEREIGNCH · 0 sub-procs Open ↗ -
Nextcloud
German open-source content-collaboration platform (Nextcloud GmbH, Stuttgart, 2016); fully self-hostable + managed Nextcloud One hosted in DE.
Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
luckycloud
Berlin-based German zero-knowledge cloud (luckycloud GmbH, 2015), own DCs in Berlin/Nuremberg/Frankfurt, ISO 27001 BSI.
Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
Koofr
Slovenian cloud storage (Koofr d.o.o., est. 2013), German ISO 27001 data centres, optional client-side encryption via Koofr Vault, 10 GB free.
Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
STRATO HiDrive
German cloud storage (STRATO GmbH, United Internet/IONOS group), two German data centres, ISO 27001 + Trusted Cloud, optional zero-knowledge E2E.
Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
LeitzCloud (vBoxxCloud)
Dutch vBoxx-operated Leitz-branded business cloud, German DCs shared with ITZBund, ISO 27001 + ISO 9001 + ISAE 3402.
Public DPA Sub-processors Open sourceEU-SOVEREIGNDE · 0 sub-procs Open ↗ -
Jottacloud
Norwegian cloud storage & backup (Jotta Group AS, est. 2008), 100% Norway-hosted on renewable power, server-side AES-256, public DPA, no CLOUD Act reach.
Public DPA Sub-processors Open sourceEU-SOVEREIGNNO · 0 sub-procs Open ↗
| Compare | Sovereignty | Cert. | Pricing | Signals | Open | ||
|---|---|---|---|---|---|---|---|
|
Swiss kDrive cloud (Infomaniak, Geneva, since 1994), own Swiss DCs, ISO 27001 + B Corp 2025, district-heating heat recycling.
|
GENEVA · CH
Switzerland
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid
€4 /mo
|
Public DPA
Sub-processors
Open source
|
→ | |
|
German open-source content-collaboration platform (Nextcloud GmbH, Stuttgart, 2016); fully self-hostable + managed Nextcloud One hosted in DE.
|
STUTTGART · DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€6 /mo
|
Public DPA
Sub-processors
Open source
|
→ | |
|
Berlin-based German zero-knowledge cloud (luckycloud GmbH, 2015), own DCs in Berlin/Nuremberg/Frankfurt, ISO 27001 BSI.
|
BERLIN · DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid |
Public DPA
Sub-processors
Open source
|
→ | |
|
Slovenian cloud storage (Koofr d.o.o., est. 2013), German ISO 27001 data centres, optional client-side encryption via Koofr Vault, 10 GB free.
|
DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€1 /mo
|
Public DPA
Sub-processors
Open source
|
→ | |
|
German cloud storage (STRATO GmbH, United Internet/IONOS group), two German data centres, ISO 27001 + Trusted Cloud, optional zero-knowledge E2E.
|
DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid
€6 /mo
|
Public DPA
Sub-processors
Open source
|
→ | |
|
Dutch vBoxx-operated Leitz-branded business cloud, German DCs shared with ITZBund, ISO 27001 + ISO 9001 + ISAE 3402.
|
DE
Germany
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
ISO/IEC 27001
|
Paid |
Public DPA
Sub-processors
Open source
|
→ | |
|
Norwegian cloud storage & backup (Jotta Group AS, est. 2008), 100% Norway-hosted on renewable power, server-side AES-256, public DPA, no CLOUD Act reach.
|
NO
Norway
|
SOVEREIGNTY
A single roll-up of ownership and CLOUD Act exposure.
|
— |
Freemium
€7 /mo
|
Public DPA
Sub-processors
Open source
|
→ |
Start with the deployment model. Fully-managed services (kDrive, luckycloud, Jottacloud, Koofr, STRATO HiDrive, LeitzCloud) behave like the US incumbents — sync clients, sharing, web UI — and suit teams that want zero operations work; compare them on zero-knowledge encryption, own-hardware vs rented data centres, and the operator's country. Self-hosted or hybrid (Nextcloud) puts the operator role in your hands: run it on EU-incorporated infrastructure and the sub-processor question collapses to your own hosting choice, at the cost of running it.
For regulated buyers, any US-incorporated processor in the chain is typically a veto regardless of contractual safeguards, because the CLOUD Act operates independently of contract terms; open each profile and read the full chain, including the CDN and object-store layers, before shortlisting. For small teams and prosumers, price per terabyte and client quality are the binding constraints — several services here are cost-competitive with the US incumbents at standard tiers. For enterprise procurement, combine this page with the certification filters (ISO 27001, BSI C5) and check whether the vendor runs its own data centres or rents from a third party, since that third party is itself part of the chain. Use the sort and filter controls on the listing above to narrow by hosting country, ownership or pricing.
Switching from a US categories.file_sharing tool?
Side-by-side European alternatives — same hosting, ownership and CLOUD Act checks — for the most-replaced categories.file_sharing tools.
- Alternatives to Apple iCloud 11 European alternatives compared
- Alternatives to Apple iCloud Photos 5 European alternatives compared
- Alternatives to Box 4 European alternatives compared
- Alternatives to Dropbox 13 European alternatives compared
- Alternatives to Evernote 6 European alternatives compared
- Alternatives to Google Drive 13 European alternatives compared
- Alternatives to Google Photos 4 European alternatives compared
- Alternatives to MEGA 3 European alternatives compared
- Alternatives to Microsoft 365 4 European alternatives compared
- Alternatives to Microsoft OneDrive 11 European alternatives compared
- Alternatives to Microsoft SharePoint 3 European alternatives compared
Frequently asked questions
Where do US sub-processors usually hide in a cloud-storage stack?
What counts as 'no US sub-processors' on this page?
Is EU hosting alone enough to escape the CLOUD Act?
Do Swiss and Norwegian providers count as 'European' here?
Can I migrate from Dropbox, Google Drive or OneDrive without losing structure?
How we verified every listing here.
For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.