Picking 'European' isn't enough: where EU software still sits under the US CLOUD Act
We checked 184 EU- and privacy-first SaaS tools for US CLOUD Act exposure. Only 34% are fully clear of it — and in five categories, including payments, not one option is. The exposure rarely comes from the vendor being American; it comes from the stack underneath.
Only 34% of Europe's privacy-first tools are fully clear of the CLOUD Act
We assessed 184 EU- and privacy-first SaaS tools, across 22 software categories, for exposure to the US CLOUD Act — whether a US parent, US incorporation, or a core US sub-processor can place customer data under US extraterritorial reach. These are the tools European buyers reach for when they are deliberately trying to leave US software. Even so, only a minority are fully outside the law's reach.
| CLOUD Act exposure | Tools | Share |
|---|---|---|
| None — EU operator, no US parent or notable US sub-processor | 62 | 33.7% |
| Minor — a transient US sub-processor (CDN, maps); data at rest stays in the EU | 60 | 32.6% |
| Material — US parent, or a core sub-processor is a US-owned hyperscaler | 58 | 31.5% |
| Direct — the operator itself is US-incorporated | 4 | 2.2% |
| Any exposure (minor + material + direct) | 122 | 66.3% |
So nearly two in three of these European alternatives still carry some US exposure, and roughly one in three (34%) carry material or direct exposure — a US owner, US incorporation, or a US hyperscaler at the core of the stack. The figures are a snapshot of our dataset as of 10 June 2026; we re-verify listings quarterly.
The company's flag is rarely the problem — the stack underneath is
The exposure seldom comes from the vendor being American. It comes from what runs underneath: hosting, sub-processors, and who provides the capital.
- Strapi (France) and Storyblok (Austria) are European-built headless CMSs — both classed material, through their infrastructure and ownership chain.
- Mollie (Netherlands), GoCardless, Klarna (Sweden), SumUp and Mangopay are European payment names — all material.
- Cal.com is open-source and widely used in Europe, but the operating company is US-incorporated (direct).
Ownership tells the same story. Of the 184 tools, 58% are EU-owned, but 17% are EU-headquartered yet US-funded — and control, along with infrastructure choices, tends to follow the capital. Another 22% sit in non-EU but adequacy-adjacent jurisdictions such as Switzerland and the UK, and 3% are US-owned.
For a buyer, the practical lesson is simple: a European brand is not the same as leaving US jurisdiction. The sub-processor chain decides it, and it has to be read tool by tool.
Five categories where no option is fully clear
In 5 of 22 categories, not a single tool we audited is free of CLOUD Act exposure:
| Category | Tools | Fully clear | Detail |
|---|---|---|---|
| Payments | 12 | 0 | 9 of 12 material (Mollie, GoCardless, Klarna, SumUp, Mangopay…) |
| Accounting | 5 | 0 | Pennylane, sevdesk, Visma all material |
| Headless CMS | 5 | 0 | Strapi and Storyblok, both EU-built, material |
| Helpdesk and live chat | 6 | 0 | every tool carries at least a minor US sub-processor |
| Calendar and booking | 5 | 0 | Cal.com is direct (US-incorporated) |
Payments is the sharpest case. Of the twelve European payment providers we list, none is fully clear — nine are material. The reason is structural: the card-processing and cloud infrastructure underneath pulls even EU-owned providers into scope. It is the clearest example of the pattern in this whole dataset — European ownership, US exposure, decided downstream.
Where Europe does have clean options
The picture is not uniform. Several categories have strong fully-clear coverage:
- Private email — 9 of 11 clear (Tuta, mailbox.org, Posteo, Infomaniak)
- Cloud hosting — 11 of 13 clear (Hetzner, OVHcloud, Scaleway)
- File sharing — 7 of 14 clear
- Password managers — 5 of 9 clear
The pattern is consistent: Europe has fully-sovereign options where the category is infrastructure-light and identity-owned — email, storage, secrets — and struggles where the category depends on deep payment rails or US-hosted platform infrastructure.
Why this matters now
Demand for this is established: IDC has identified protection from extraterritorial data requests as the leading driver of sovereign-cloud adoption in Europe. Policy is moving the same way — the EU Tech Sovereignty Package, announced on 27 May 2026, puts the question "is this actually EU-controlled?" into mainstream procurement.
What has been missing is a per-tool, per-category map of where a European buyer can and cannot actually escape the CLOUD Act today. The headline is not that Europe lacks alternatives — it often does not — but that availability is uneven, and that picking by flag alone leaves most buyers more exposed than they assume.
How we assess this
For each tool we record sourced, factual signals — operator jurisdiction, parent company, named sub-processors and hosting region — and classify CLOUD Act exposure on a four-level scale: none, minor, material, direct, each with a published definition. It is an editorial assessment based on public disclosures, not a vendor self-report, and we re-check it quarterly. Read the full method on our how we assess page.
Figures here are a snapshot as of 10 June 2026 and will shift as the dataset grows and vendors change their disclosures. To check any individual tool, browse it in the directory — every listing carries its hosting region, sub-processor chain, CLOUD Act level and the date we last verified it.
Frequently asked questions
- Does choosing a European tool remove US CLOUD Act exposure?
- Not on its own. In our dataset of 184 EU- and privacy-first tools, 66% still carry some CLOUD Act exposure despite being European-facing — usually through their hosting, sub-processors or US funding, not because the vendor is American. Exposure has to be checked per tool, across ownership, hosting region and the sub-processor chain.
- What does 'CLOUD Act exposure' mean on EU Vetted?
- It is our four-level editorial classification of whether customer data could fall under US extraterritorial reach: none (EU operator, no US parent or notable US sub-processor), minor (a transient US sub-processor such as a CDN, with data at rest in the EU), material (a US parent or a core US-owned hyperscaler sub-processor), and direct (the operator itself is US-incorporated). It is based on public disclosures and re-checked quarterly.
- Which software categories have no fully-clear option?
- As of June 2026, five of the 22 categories we cover have no tool that is fully free of CLOUD Act exposure: payments, accounting, headless CMS, helpdesk and live chat, and calendar and booking. Payments is the starkest — none of the twelve European providers we list is fully clear, and nine are classed material.
- Where does Europe have genuinely clean options?
- In infrastructure-light, identity-owned categories. Private email (9 of 11 clear), cloud hosting (11 of 13), file sharing (7 of 14) and password managers (5 of 9) all have strong fully-clear coverage. The gaps appear where a category depends on deep payment rails or US-hosted platform infrastructure.
For every product we read the public DPA, sub-processors document, hosting region declaration, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.