A single roll-up of ownership and CLOUD Act exposure.
Norwegian headless/hybrid CMS (Oslo, est. 2000); founder-owned, ISO 27001 + 9001 certified — but managed Enonic Cloud runs on Google Cloud + Azure + Fastly.
Enonic, in the Headless CMS category, offers EU hosting with Norway as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.
Enonic (Enonic AS, Oslo, founded 2000) is ISO 27001:2022 + ISO 9001:2015 certified (annual external audit of the 93 InfoSec controls), GDPR-compliant with a named Data Privacy Officer, DORA-aligned, and publishes both a downloadable DPA and a public sub-processor list — strong governance posture. Norway is EEA/EFTA but not EU, and ownership is founder-led (Morten Øien Eriksen + Thomas Sigdestad) with no identified VC/PE/US capital — hence ownership_signal: other (clean Norwegian local-hero on paper). The procurement caveat is the managed Enonic Cloud stack itself: per its own third-party-suppliers page the production IaaS is Google Cloud Platform (US-owned, EU region) with Microsoft Azure for encrypted off-site backups (Sweden) and Fastly (US) as CDN — data-at-rest lives on US-owned hyperscaler infrastructure inside the EEA, which is textbook material CLOUD Act exposure despite the Norwegian cap table. The escape hatch is self-hosting the open-source Enonic XP runtime on EU-sovereign infra, which removes Google/Azure/Fastly entirely.
How exposed customer data is to US authorities under the CLOUD Act.
Where ultimate control over the operating company sits.
Exposure depends on how you run this product.
Vendor-operated — the sub-processors below apply.
How exposed customer data is to US authorities under the CLOUD Act.
Deploy on your own EU infrastructure and you control hosting and every sub-processor.
How exposed customer data is to US authorities under the CLOUD Act.
Enonic (Enonic AS, Oslo, founded 2000) is Norway's largest Norwegian-owned CMS vendor — a hybrid headless / visual-editing content platform built on its open-source Enonic XP runtime, positioned directly against Optimizely, Contentful and Sanity. Founder-owned by Morten Øien Eriksen and Thomas Sigdestad with no identified VC or PE capital, it is one of the cleaner ownership stories in the category. Compliance posture is genuinely strong: ISO 27001:2022 (annually externally audited against all 93 controls) and ISO 9001:2015 certified, GDPR-compliant with a designated Data Privacy Officer, DORA-aligned, a publicly downloadable DPA, and a public sub-processor list. The important nuance for sovereignty buyers is the managed Enonic Cloud infrastructure: Enonic's own third-party-suppliers page lists the production IaaS as Google Cloud Platform (US-owned, EU region), Microsoft Azure for encrypted off-site backups (Sweden), Fastly (US) for CDN, plus Mailgun (DE), Auth0 and Zendesk (EU), and Slack (US) for community support. So while the company is Norwegian and bootstrapped, the hosted data at rest sits on US-owned hyperscalers within the EEA — material CLOUD Act exposure. Buyers who need true sovereignty can instead self-host the open-source XP runtime (GPL-3.0 with a linking exception) on Hetzner / OVH / Scaleway, which removes the US sub-processors from the data path. Pricing: a free tier (5 GB), with Professional and Enterprise tiers quoted on request (no public EUR price).
Italian developer-friendly headless CMS (Milan); 25K+ businesses; bootstrapped feel, no US PE.
Berlin GraphQL-native headless CMS (formerly GraphCMS, founded 2017); enterprise clients incl. Samsung, LEGO; mostly EU-funded.
Paris headless CMS / page-builder (founded 2013); Slice Machine + Next.js / Nuxt / SvelteKit focus; from €7/mo.