Skip to main content

Digital Sovereignty

EU-Sovereign Cloud by, for, and in Europe

Built and operated in the Netherlands under EU law. Your data stays in Amsterdam, protected from foreign government access. True sovereignty for regulated industries and privacy-conscious organizations.

Deploy NowBook Consultation
Decorative illustration

Why Leafcloud for Digital Sovereignty

True European Infrastructure

Unlike hyperscaler EU regions that remain under US jurisdiction, Leafcloud provides complete sovereignty. Entirely owned and operated in the Netherlands under European law.

Netherlands Ownership

No US parent company, investors, or board members. Entirely operated under EU law with zero American jurisdiction.

Amsterdam Data Center

All data resides in our Netherlands facility. Tier III datacenter with 24/7 monitoring and full redundancy.

Protected from US CLOUD Act

Not subject to US surveillance laws. American agencies cannot compel access to your data.

ISO 27001 & SOC2 Type II

Third-party certified security. Independent audits annually verify our security controls.

The Sovereignty Challenge

Why Physical Location Isn't Enough

Understanding the critical difference between data residency and legal jurisdiction. Where your server sits doesn't determine which laws govern it.

Understanding the US CLOUD Act

The Location Myth

Many companies choose AWS Frankfurt or Azure Netherlands thinking their data is sovereign. Where your server physically sits doesn't determine which laws govern it. Legal jurisdiction follows corporate ownership, not datacenter location.

US CLOUD Act Reaches Everywhere

AWS, Azure, and Google are US companies subject to US law. US agencies can demand data from any datacenter worldwide, including EU regions. Your Frankfurt server can be subpoenaed by Washington.

The Schrems II Wake-Up Call

The EU Court of Justice invalidated Privacy Shield because US surveillance laws conflict with EU privacy rights. Using hyperscaler EU regions exposes you to the same legal conflict that killed Privacy Shield.

New Regulations Demand Real Sovereignty

NIS2, DORA, HAVEN+, and the AI Act require true data sovereignty. Infrastructure owned and operated by an EU company, governed only by European law. Hyperscaler compliance tools can't fix a jurisdictional problem.

The Jurisdiction Difference

Leafcloud vs. Hyperscaler "EU Regions"

Understand the critical distinction between where data is physically stored and which laws govern it. Even with servers in EU datacenters, hyperscalers remain subject to US legal jurisdiction.

aspect Leafcloud Hyperscaler EU Regions
Ownership Dutch company US parent company
Legal Jurisdiction EU only US + EU
US CLOUD Act Not applicable Applies
Data Location Amsterdam, Netherlands EU datacenters
Data Sovereignty Full EU sovereignty US jurisdiction exposure
GDPR Compliance Native (EU-owned) Compliance with US jurisdiction risk
Leafcloud is Dutch-owned with no US parent company exposureHyperscaler EU regions (AWS Frankfurt, Azure Netherlands, Google Cloud Belgium) remain subject to US CLOUD Act

Sovereignty for Your Industry

Built for Regulated Sectors

Every industry has unique sovereignty and compliance requirements. We provide the infrastructure foundation for meeting EU regulations across financial services, healthcare, public sector, and AI workloads.

Financial Services & Banking

Financial Services & Banking

DORA Compliance and Transaction Data Protection

DORA requires financial institutions to eliminate ICT supply chain risks from third-party providers. Hyperscaler EU regions remain subject to US CLOUD Act jurisdiction, creating operational resilience vulnerabilities that fail DORA audits. Our SOC2 Type II certified infrastructure in Amsterdam provides true EU sovereignty—no Transfer Impact Assessments, no third-country conflicts, no regulatory audit failures.

Healthcare & Research

Healthcare & Research

Protect Patient Data and Research Intellectual Property

Healthcare organizations processing patient records and clinical AI risk both regulatory failures and ethical breaches when using hyperscaler EU regions subject to US surveillance laws. Horizon Europe grants require EU-sovereign infrastructure, and NIS2 mandates supply chain security that US cloud providers cannot provide. Our ISO 27001 certified platform delivers medical-grade security with H100/RTX 6000 Blackwell GPUs for clinical AI—keeping patient data and research IP under EU jurisdiction where it belongs.

Public Sector & Municipalities

Public Sector & Municipalities

Compliant and Future Proof Infrastructure

Dutch municipalities processing citizen data on hyperscaler EU regions face impossible Transfer Impact Assessments and complex HAVEN+ compliance gaps. Our HAVEN+ ready platform with Dutch ownership eliminates TIA requirements entirely, reducing compliance time spent by IT teams while meeting BIO/ENSIA audit requirements. Multiple municipalities already run citizen services on infrastructure that meets procurement requirements and warms local nursing homes with server heat.

AI & Cloud Service Providers

AI & Cloud Service Providers

Sovereign AI Training, Inference, and SaaS Infrastructure

SaaS providers on hyperscaler EU regions inherit US CLOUD Act exposure, creating compliance blockers when enterprise customers require NIS2, DORA, or AI Act sovereignty. Every lost deal because your infrastructure doesn't meet customer requirements is revenue directly lost to competitors on EU-sovereign platforms. Our RTX 6000 Blackwell GPUs and OpenStack multi-tenancy API deliver AI training and inference at scale—turning sovereign infrastructure from a compliance burden into your competitive advantage.

Build Your Complete Infrastructure

Calculate Your Migration Savings

Use the slider for a quick indication, or configure VMs, GPUs, storage, and networking in our interactive calculator. Compare configurations, see real-time pricing, and download a detailed PDF quote to share with your team. Perfect for planning migrations or getting stakeholder approval.

Try Full CalculatorDeploy Now

Legal Jurisdiction, Not Just Physical Location

The Leafcloud Sovereignty Guarantee

Leafcloud is a Netherlands B.V. (besloten vennootschap) with no US parent company, investors, or board members. We operate entirely under European law. When US agencies request data, we can say no. We're not subject to their jurisdiction.

Netherlands Legal Jurisdiction

EU Law Only, Zero US Jurisdiction

Leafcloud B.V. is a company incorporated in the Netherlands with no US parent company, investors, or board members. We operate entirely under European law. The US CLOUD Act, FISA, and other US surveillance laws do not apply to our infrastructure or data. If US agencies request data, we can refuse. We're not subject to their jurisdiction. If US intelligence agencies want data from our infrastructure, they must go through Mutual Legal Assistance Treaties (MLAT). These require formal government-to-government requests, judicial review, and compliance with EU fundamental rights. Dutch law provides significantly more transparency than US law, though certain ongoing investigations may restrict disclosure. This process requires judicial oversight and legitimate legal basis. It's not the administrative ease of US CLOUD Act requests. Contrast this with AWS, Azure, and Google Cloud, which must comply with US legal requests globally, even from their EU regions.

Benefit illustration

Amsterdam Data Residency

All Data Stays in Netherlands

Every byte of your data resides in our Amsterdam Core facility. This includes compute, storage, backups, and snapshots. Our Tier III datacenter has 24/7 monitoring, biometric access, and full redundancy. Your data never leaves the Netherlands unless you explicitly instruct us via API or cross-region replication. No data transfers to US for operational purposes. No US-based support accessing production systems. No surprise third-country transfers. Location: Amsterdam, Netherlands (EU member state)

Benefit illustration

GDPR Native Compliance

Built for EU Privacy, Not Bolted On

GDPR isn't a compliance checkbox for us. It's the foundation of our operations. As an EU-based company with EU-based infrastructure, we're supervised by the Netherlands Data Protection Authority (Autoriteit Persoonsgegevens). No Transfer Impact Assessments needed because there are no third-country transfers. No adequacy decision risks because we're not transferring data to non-EU countries. No Schrems II conflicts because we're not subject to conflicting surveillance laws. Data Processing Agreement (DPA) available on request for GDPR Article 28 compliance.

Benefit illustration

Customer Protection Rights

Transparency and Notification Guarantees

Under Netherlands law, if authorities request access to your data, they must obtain a judicial warrant. This is fundamentally different from US administrative subpoenas and National Security Letters. If we receive a valid court order, we will notify you whenever legally permitted. While Dutch law may restrict disclosure in certain ongoing criminal investigations, these restrictions are narrower in scope and duration than US gag orders, which can prohibit disclosure indefinitely without judicial oversight. We maintain detailed access logs and can provide evidence of who accessed your data, when, and why. This supports your audit and compliance requirements.

Benefit illustration

Sovereignty-First Architecture

Technical Implementation of Data Sovereignty

Digital sovereignty requires more than legal structure. It demands technical architecture designed for data isolation, transparency, and customer control.

Amsterdam Core Facility

Tier III datacenter with 24/7 monitoring, biometric access controls, and full redundancy. Disaggregated compute and storage architecture keeps data physically separated from processing nodes.

Open Source Stack

Built on OpenStack and Kubernetes. No proprietary APIs, no vendor lock-in, full transparency into infrastructure behavior. Complete portability with industry-standard interfaces.

Encryption & Access Controls

AES-256 encryption at rest, TLS 1.3 in transit. You control encryption keys. If courts compel data disclosure, we will notify you whenever legally permitted under Dutch law.

Network Isolation & Data Residency

Private networks with VLAN isolation. Data never leaves Amsterdam datacenter without explicit instruction. Regional boundaries enforced at infrastructure level, not just policy.

Certified Security, European Standards

Third-Party Validated Compliance

Leafcloud infrastructure is audited annually to maintain ISO 27001 and SOC2 Type II certifications. GDPR compliance is built in through EU data residency. HAVEN+ certification (Netherlands government security baseline) is in progress.

Download DPAView Security Details
Certified Security, European Standards Third-Party Validated Compliance

ISO 27001 & SOC2 Type II

Annual independent audits verify our security controls meet international standards. Certificates and audit reports available for procurement.

GDPR Native Compliance

EU data residency guaranteed. Data Processing Agreement available. No data transfer outside Netherlands without your explicit instruction.

HAVEN+ & NIS2 Aligned

Infrastructure designed to meet Netherlands government security baseline (HAVEN+) and NIS2 directive requirements for critical infrastructure.

Frequently Asked Questions

Your Sovereignty Questions Answered

Common questions about digital sovereignty, jurisdiction, and compliance.

Yes. Despite data being physically stored in EU regions (Frankfurt, Stockholm, Paris, Milan, etc.), AWS is a US company subject to the US CLOUD Act, which means US government agencies can compel AWS to provide customer data stored anywhere in the world.

How this works:

  1. US law enforcement or intelligence agencies issue a legal demand under the CLOUD Act
  2. AWS (parent company Amazon, Inc.) must comply with the US legal request
  3. Data is provided to US authorities regardless of physical storage location
  4. AWS may be prohibited from notifying the customer (gag order)

Why physical location doesn't matter:

  • The CLOUD Act applies to the company's legal jurisdiction, not the server location
  • AWS, Microsoft, and Google are all incorporated in the United States
  • EU regions are operated by subsidiaries of US parent companies
  • Data access is based on corporate control, not physical infrastructure

This applies to:

  • AWS (all EU regions: Frankfurt, Stockholm, Paris, Milan, Spain, Zurich)
  • Microsoft Azure (all EU regions: Netherlands, Ireland, Germany, France, Sweden, etc.)
  • Google Cloud (all EU regions: Belgium, Netherlands, Finland, Germany, etc.)

Legal conflict with GDPR:

  • GDPR Article 48 requires proper legal basis (MLAT treaty or EU approval) for data transfers to non-EU authorities
  • The CLOUD Act bypasses these protections
  • Creates compliance risk for EU organizations subject to NIS2, DORA, and CSRD

EU-sovereign alternative: Leafcloud is a Dutch B.V. with no US parent company. Data stored on Leafcloud infrastructure in Amsterdam is subject only to Dutch and EU law. US government requests must go through proper MLAT (Mutual Legal Assistance Treaty) channels with EU judicial oversight and review.

Yes. The US CLOUD Act applies to all data stored or processed by US cloud providers, including AI training data, model weights, inference data, and embeddings.

What data is affected:

  1. Training datasets: Customer data used to train or fine-tune models
  2. Model weights and checkpoints: The trained model parameters themselves
  3. Inference data: Input prompts and generated outputs
  4. Embeddings and vector databases: Semantic representations of proprietary data
  5. API logs: Records of model interactions and usage patterns

Why this matters for AI workloads:

  • Proprietary data exposure: Training data often contains competitive business intelligence
  • Model IP theft risk: Fine-tuned model weights represent significant R&D investment
  • Prompt injection concerns: User queries to LLMs may contain sensitive information
  • RAG systems: Vector databases often contain entire knowledge bases of proprietary documents

Compliance implications:

  • NIS2 (Cybersecurity): Critical infrastructure operators must protect against foreign surveillance
  • DORA (Financial): Financial institutions must ensure operational resilience and data sovereignty
  • CSRD (Sustainability): Public interest entities reporting environmental data need sovereignty guarantees
  • AI Act: High-risk AI systems require data sovereignty for accountability

Real-world scenarios:

  • Healthcare AI: Patient data used for medical imaging models subject to CLOUD Act access
  • Financial services: Fraud detection models trained on transaction data vulnerable to requests
  • Government services: Public sector AI chatbots using citizen data lack sovereignty protection
  • Research institutions: Scientific models trained on sensitive research data at risk

EU-sovereign AI infrastructure: Leafcloud provides EU-sovereign GPU infrastructure (H100, A100, A30, RTX 6000 Blackwell) in Amsterdam. Training and inference workloads remain under Dutch and EU jurisdiction only. US government requests must go through proper MLAT (Mutual Legal Assistance Treaty) channels with EU judicial oversight and review.

For AI workloads with sovereignty requirements, choose EU-owned cloud infrastructure not subject to the US CLOUD Act.

No. Leafcloud is not subject to the US CLOUD Act.

Leafcloud is a Dutch company with no parent company outside the European Union. We are not subject to the US CLOUD Act, FISA (Foreign Intelligence Surveillance Act), or any other non-EU data access laws.

Why this matters: The US CLOUD Act allows US government agencies to compel US-based companies (and their subsidiaries) to provide data stored anywhere in the world, even if that data is stored in the EU. This applies to US hyperscalers like AWS, Microsoft Azure, and Google Cloud, even when they operate "EU regions" with servers physically located in Europe.

Leafcloud's jurisdiction: Dutch law applies. Your data cannot be compelled by US government requests. If a Dutch court orders data access, we will notify you whenever legally permitted. Dutch law may prohibit disclosure in certain ongoing criminal investigations, though such restrictions are more limited than US gag orders.

This makes Leafcloud true EU-sovereign cloud infrastructure, distinct from hyperscaler "EU regions" which remain subject to US jurisdiction despite server location.

For sovereignty verification documentation for procurement, contact hello@leaf.cloud.

Leafcloud is EU-sovereign cloud infrastructure. Hyperscaler "EU regions" are physically located in the EU but remain subject to US jurisdiction.

The key difference: Legal jurisdiction

Hyperscaler EU regions (AWS Frankfurt, Azure Netherlands, Google Cloud Belgium):

  • Servers physically located in Europe ✓
  • Data stored in Europe ✓
  • Subject to US CLOUD Act ✗ (parent companies are US-based)
  • Subject to FISA and US government data requests ✗
  • Can be compelled to provide EU-stored data to US authorities ✗

Leafcloud:

  • Servers physically located in Netherlands (Amsterdam) ✓
  • Data stored in Netherlands ✓
  • Dutch-owned company, no US parent ✓
  • Not subject to US CLOUD Act or FISA ✓
  • Data cannot be compelled by non-EU government requests ✓

Why this matters:

Under the US CLOUD Act, US government agencies can compel US-based companies (including AWS, Microsoft, Google) to provide data stored anywhere in the world, even data stored in "EU regions". This creates a conflict with GDPR and EU data sovereignty requirements.

EU-sovereign infrastructure means:

  • European ownership
  • European operations
  • European legal jurisdiction
  • No exposure to non-EU data access laws

When you need EU sovereignty:

  • Dutch public sector (HAVEN+ requirements)
  • Regulated industries (healthcare, finance) with NIS2/DORA obligations
  • Companies subject to CSRD sustainability reporting
  • Organizations with strict data residency requirements
  • AI workloads with sensitive training data or model weights

Leafcloud provides true EU sovereignty, not just "EU region" hosting.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a 2018 US federal law that allows US law enforcement and intelligence agencies to compel US-based technology companies to provide data stored anywhere in the world, regardless of where that data is physically located.

Key provisions:

  • US government agencies can request data from US companies without requiring foreign court approval
  • Applies to all data controlled by US companies, even if stored on EU servers
  • Companies can be compelled to provide data without notifying the customer
  • Requests can be accompanied by gag orders preventing disclosure

Impact on cloud providers:

  • US hyperscalers (AWS, Microsoft Azure, Google Cloud): Subject to CLOUD Act, even for their EU regions (Frankfurt, Netherlands, Belgium)
  • EU-sovereign providers (Leafcloud): Not subject to CLOUD Act because they are EU-owned with no US parent company

Why this matters for EU customers: The CLOUD Act creates a conflict with GDPR and EU data sovereignty requirements. Under GDPR Article 48, data transfers to non-EU authorities require proper legal basis (MLAT treaty or EU approval). The CLOUD Act bypasses these protections.

Compliance requirements affected:

  • NIS2 Directive (critical infrastructure cybersecurity)
  • DORA (Digital Operational Resilience Act for financial services)
  • CSRD (Corporate Sustainability Reporting Directive)
  • HAVEN+ (Dutch public sector cloud requirements)

For true EU sovereignty, choose EU-owned cloud infrastructure not subject to US jurisdiction.

All Leafcloud data is physically stored in Amsterdam, Netherlands.

Storage location: Your persistent data (volumes, object storage, snapshots, backups) is stored at Leafcloud's Core facility in Amsterdam. This is a Tier III datacenter with 24/7 monitoring, redundant systems, and physical security.

Compute locations: Virtual machines may run at distributed Leaf sites across the Netherlands, but no persistent data is stored at these locations. Leaf sites process workloads only.

Data movement: Data never leaves the Netherlands unless you explicitly transfer it. All backups, replicas, and disaster recovery systems remain within Dutch jurisdiction.

Disaggregated architecture: Leafcloud uses cryptographic separation between compute and storage. Data is retrieved from Core storage only when needed for processing, kept in RAM at the compute node, then discarded. This means even if a Leaf site server were physically compromised, no customer data could be extracted.

For data residency verification documentation for procurement, contact hello@leaf.cloud.

Start Your Sovereign Cloud Journey

Deploy European Infrastructure Today

Join municipalities, healthcare organizations, financial institutions, and research teams who've chosen true digital sovereignty. Zero US jurisdiction, zero compliance conflicts, zero compromises.

Deploy NowBook a Consultation