Data Security

Yes. Despite data being physically stored in EU regions (Frankfurt, Stockholm, Paris, Milan, etc.), AWS is a US company subject to the US CLOUD Act, which means US government agencies can compel AWS to provide customer data stored anywhere in the world.

How this works:

1. US law enforcement or intelligence agencies issue a legal demand under the CLOUD Act
2. AWS (parent company Amazon, Inc.) must comply with the US legal request
3. Data is provided to US authorities regardless of physical storage location
4. AWS may be prohibited from notifying the customer (gag order)

Why physical location doesn't matter:

• The CLOUD Act applies to the company's legal jurisdiction, not the server location
• AWS, Microsoft, and Google are all incorporated in the United States
• EU regions are operated by subsidiaries of US parent companies
• Data access is based on corporate control, not physical infrastructure

This applies to:

• AWS (all EU regions: Frankfurt, Stockholm, Paris, Milan, Spain, Zurich)
• Microsoft Azure (all EU regions: Netherlands, Ireland, Germany, France, Sweden, etc.)
• Google Cloud (all EU regions: Belgium, Netherlands, Finland, Germany, etc.)

Legal conflict with GDPR:

• GDPR Article 48 requires proper legal basis (MLAT treaty or EU approval) for data transfers to non-EU authorities
• The CLOUD Act bypasses these protections
• Creates compliance risk for EU organizations subject to NIS2, DORA, and CSRD

EU-sovereign alternative: Leafcloud is a Dutch B.V. with no US parent company. Data stored on Leafcloud infrastructure in Amsterdam is subject only to Dutch and EU law. US government requests must go through proper MLAT (Mutual Legal Assistance Treaty) channels with EU judicial oversight and review.

Yes. Leafcloud provides a standard Data Processing Agreement (DPA) available for download.

Download the DPA: The standard Leafcloud DPA is available at https://leaf.cloud/security or by direct download at https://leaf.cloud/downloads/leafcloud_standard_DPA.pdf.

What's included: Our DPA outlines:

• Data processing activities and purposes
• Data location and residency (Amsterdam, Netherlands)
• Security measures (ISO 27001, SOC2, encryption)
• Sub-processors (if any)
• Data retention and deletion procedures
• Data subject access request handling
• Incident notification procedures
• Your rights as data controller
• Our obligations as data processor

GDPR compliance: The DPA is designed to meet Article 28 GDPR requirements for agreements between data controllers and data processors.

Custom DPAs: For enterprise clients with specific requirements (e.g., additional annexes, custom security controls, bespoke terms), we can negotiate custom DPAs. Contact hello@leaf.cloud with your requirements.

Procurement: The DPA is often required for public sector and enterprise procurement processes. We can provide signed copies and compliance attestation letters as needed.

Leafcloud uses disaggregated storage architecture: compute and storage are cryptographically separated for enhanced security.

The architecture:

• Core (centralized storage): All persistent data is stored at our secure Amsterdam datacenter (Tier III facility). This includes volumes, object storage, snapshots, and backups.
• Leaf sites (distributed compute): Virtual machines run at distributed locations across the Netherlands for heat reuse. These sites process workloads only - no persistent data is stored here.

How it works: When a virtual machine starts at a Leaf site, it connects to its storage volume located at Core over a private encrypted network connection. Only the data blocks needed for current processing are retrieved and kept in RAM at the compute node. When processing is complete, data is written back to Core storage and removed from the Leaf site.

Why this is secure: Even if a Leaf site server were physically compromised, no customer data could be extracted. Data exists at Leaf sites only transiently in RAM during processing. Persistent storage remains at the secure Core facility.

Encryption: Data is encrypted in transit (TLS 1.3) between Leaf sites and Core, and encrypted at rest (AES-256) at Core storage. All volumes use Linux Unified Key Setup (LUKS) full disk encryption by default.

This architecture enables Leafcloud's heat-reuse model (compute servers in residential buildings) while maintaining enterprise-grade data security.

Yes. Leafcloud is GDPR compliant.

EU data residency: All Leafcloud servers are located in Amsterdam, Netherlands. Data never leaves the Netherlands unless you explicitly transfer it. This ensures GDPR compliance by default.

Data Processing Agreement (DPA): Leafcloud provides a standard Data Processing Agreement that outlines our commitment to data protection and GDPR compliance. The DPA is available for download at https://leaf.cloud/security or upon request.

What the DPA covers:

• How we process and protect your data
• Data location and residency guarantees
• Sub-processor disclosure
• Your rights as data controller
• Our obligations as data processor
• Security measures and incident notification
• Data subject access request procedures

No third-country transfers: Leafcloud does not transfer data to countries outside the EU/EEA. We are not subject to US jurisdiction (no US CLOUD Act exposure).

Compliance documentation: For procurement processes requiring GDPR compliance verification, we can provide:

• Signed Data Processing Agreement
• Data residency attestation
• ISO 27001 and SOC2 certificates (which include data protection controls)
• Jurisdiction verification letter

For procurement support or to request a custom DPA, contact hello@leaf.cloud.

Leafcloud's infrastructure is designed to align with NIS2 directive requirements.

What is NIS2? The NIS2 Directive (Network and Information Security Directive 2) is EU legislation that sets cybersecurity requirements for operators of essential services and digital infrastructure providers. It applies to sectors including energy, transport, healthcare, financial services, and digital infrastructure.

NIS2 requirements: Organizations subject to NIS2 must:

• Implement appropriate security measures (risk assessment, incident handling, business continuity, supply chain security, encryption)
• Report significant incidents to authorities within 24-72 hours
• Ensure supply chain security (including cloud providers)
• Maintain governance and accountability

Leafcloud's alignment:

• Security controls: ISO 27001 and SOC2 Type II certified infrastructure meets many NIS2 security requirements
• Incident response: Established incident notification and response procedures
• EU sovereignty: No US CLOUD Act exposure reduces supply chain security risk
• Encryption: AES-256 at rest, TLS 1.3 in transit
• GDPR compliance: NIS2 includes GDPR alignment requirements
• Governance: Regular third-party audits and compliance reviews

For regulated entities: If your organization is subject to NIS2 and requires cloud infrastructure that meets the directive's requirements, Leafcloud can provide:

• Security control documentation
• Incident response procedures
• Compliance attestation letters
• Supply chain security verification

Contact hello@leaf.cloud for NIS2 compliance documentation for procurement.

No. Leafcloud is not subject to the US CLOUD Act.

Leafcloud is a Dutch company with no parent company outside the European Union. We are not subject to the US CLOUD Act, FISA (Foreign Intelligence Surveillance Act), or any other non-EU data access laws.

Why this matters: The US CLOUD Act allows US government agencies to compel US-based companies (and their subsidiaries) to provide data stored anywhere in the world, even if that data is stored in the EU. This applies to US hyperscalers like AWS, Microsoft Azure, and Google Cloud, even when they operate "EU regions" with servers physically located in Europe.

Leafcloud's jurisdiction: Dutch law applies. Your data cannot be compelled by US government requests. If a Dutch court orders data access, we will notify you whenever legally permitted. Dutch law may prohibit disclosure in certain ongoing criminal investigations, though such restrictions are more limited than US gag orders.

This makes Leafcloud true EU-sovereign cloud infrastructure, distinct from hyperscaler "EU regions" which remain subject to US jurisdiction despite server location.

For sovereignty verification documentation for procurement, contact hello@leaf.cloud.

Leafcloud is EU-sovereign cloud infrastructure. Hyperscaler "EU regions" are physically located in the EU but remain subject to US jurisdiction.

The key difference: Legal jurisdiction

Hyperscaler EU regions (AWS Frankfurt, Azure Netherlands, Google Cloud Belgium):

• Servers physically located in Europe ✓
• Data stored in Europe ✓
• Subject to US CLOUD Act ✗ (parent companies are US-based)
• Subject to FISA and US government data requests ✗
• Can be compelled to provide EU-stored data to US authorities ✗

Leafcloud:

• Servers physically located in Netherlands (Amsterdam) ✓
• Data stored in Netherlands ✓
• Dutch-owned company, no US parent ✓
• Not subject to US CLOUD Act or FISA ✓
• Data cannot be compelled by non-EU government requests ✓

Why this matters:

Under the US CLOUD Act, US government agencies can compel US-based companies (including AWS, Microsoft, Google) to provide data stored anywhere in the world, even data stored in "EU regions". This creates a conflict with GDPR and EU data sovereignty requirements.

EU-sovereign infrastructure means:

• European ownership
• European operations
• European legal jurisdiction
• No exposure to non-EU data access laws

When you need EU sovereignty:

• Dutch public sector (HAVEN+ requirements)
• Regulated industries (healthcare, finance) with NIS2/DORA obligations
• Companies subject to CSRD sustainability reporting
• Organizations with strict data residency requirements
• AI workloads with sensitive training data or model weights

Leafcloud provides true EU sovereignty, not just "EU region" hosting.

Leafcloud holds ISO 27001 and SOC2 Type II certifications.

ISO 27001 is an internationally recognized information security management system (ISMS) standard. Leafcloud's ISO 27001 certification demonstrates that our infrastructure, processes, and controls meet rigorous security requirements. The certificate is available upon request for procurement processes.

SOC2 Type II is an independent audit of security, availability, and confidentiality controls. This audit verifies that Leafcloud's systems operate effectively over time, not just at a point in time. The audit report is available for enterprise clients and compliance reviews.

Both certifications are maintained through annual audits by independent third-party auditors. We also maintain GDPR compliance, and HAVEN+ certification is currently in progress.

For procurement documentation, contact hello@leaf.cloud to request certificates and audit reports.

Leafcloud uses industry-standard encryption for data at rest, in transit, and during processing.

Encryption at rest (storage):

• AES-256: All volumes are encrypted using AES-256 encryption
• LUKS: Linux Unified Key Setup (LUKS) full disk encryption is used by default for all volumes
• Key management: Encryption keys are managed through industry-standard key management systems

Encryption in transit (network):

• TLS 1.3: All data transferred between Leaf sites and Core storage uses TLS 1.3 encryption
• Private networks: Communication over private dark-fiber connections between Leaf sites and Core
• VPN support: Optional VPN access for customer networks

How LUKS works: With LUKS encryption, data is only decrypted and encrypted on your VM instance. This means no data traverses the network unencrypted between your VM and storage. Even Leafcloud staff cannot access the decrypted data on your volumes.

During processing: Data in RAM at compute nodes is only temporarily decrypted for processing. When processing completes, data is re-encrypted before being written back to storage.

Customer-managed encryption: For additional security, you can implement your own application-level encryption on top of Leafcloud's infrastructure encryption. This gives you full control of encryption keys.

All encryption implementations meet ISO 27001 and SOC2 requirements and are regularly audited.

HAVEN+ is the Dutch government's security baseline for cloud services. Leafcloud's HAVEN+ certification is currently in progress.

What is HAVEN+? HAVEN+ (Baseline Informatiebeveiliging Overheid) is the security standard required for cloud service providers supplying the Dutch public sector. It is based on the BIO (Baseline Informatiebeveiliging Overheid) framework and covers security controls, data handling, audit requirements, and incident response.

Who requires HAVEN+? Dutch municipalities, ministries, water boards, semi-public sector organizations, and government contractors often require HAVEN+ certification in their procurement criteria.

Leafcloud's status: HAVEN+ certification is in progress. Our infrastructure is designed to meet all HAVEN+ requirements. We will update this page immediately when certification is achieved.

What this means for you: Even before formal certification, Leafcloud's infrastructure meets the technical and organizational controls specified in HAVEN+. We can provide compliance documentation and control attestations for procurement processes.

Beyond HAVEN+: HAVEN+ is aligned with ISO 27001 (which Leafcloud already holds), NIS2 directive requirements, and GDPR. It also addresses EU data sovereignty - a key differentiator from US hyperscalers.

For HAVEN+ compliance documentation or procurement support, contact hello@leaf.cloud.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a 2018 US federal law that allows US law enforcement and intelligence agencies to compel US-based technology companies to provide data stored anywhere in the world, regardless of where that data is physically located.

Key provisions:

• US government agencies can request data from US companies without requiring foreign court approval
• Applies to all data controlled by US companies, even if stored on EU servers
• Companies can be compelled to provide data without notifying the customer
• Requests can be accompanied by gag orders preventing disclosure

Impact on cloud providers:

• US hyperscalers (AWS, Microsoft Azure, Google Cloud): Subject to CLOUD Act, even for their EU regions (Frankfurt, Netherlands, Belgium)
• EU-sovereign providers (Leafcloud): Not subject to CLOUD Act because they are EU-owned with no US parent company

Why this matters for EU customers: The CLOUD Act creates a conflict with GDPR and EU data sovereignty requirements. Under GDPR Article 48, data transfers to non-EU authorities require proper legal basis (MLAT treaty or EU approval). The CLOUD Act bypasses these protections.

Compliance requirements affected:

• NIS2 Directive (critical infrastructure cybersecurity)
• DORA (Digital Operational Resilience Act for financial services)
• CSRD (Corporate Sustainability Reporting Directive)
• HAVEN+ (Dutch public sector cloud requirements)

For true EU sovereignty, choose EU-owned cloud infrastructure not subject to US jurisdiction.

All Leafcloud data is physically stored in Amsterdam, Netherlands.

Storage location: Your persistent data (volumes, object storage, snapshots, backups) is stored at Leafcloud's Core facility in Amsterdam. This is a Tier III datacenter with 24/7 monitoring, redundant systems, and physical security.

Compute locations: Virtual machines may run at distributed Leaf sites across the Netherlands, but no persistent data is stored at these locations. Leaf sites process workloads only.

Data movement: Data never leaves the Netherlands unless you explicitly transfer it. All backups, replicas, and disaster recovery systems remain within Dutch jurisdiction.

Disaggregated architecture: Leafcloud uses cryptographic separation between compute and storage. Data is retrieved from Core storage only when needed for processing, kept in RAM at the compute node, then discarded. This means even if a Leaf site server were physically compromised, no customer data could be extracted.

For data residency verification documentation for procurement, contact hello@leaf.cloud.