A new approach to cybersecurity
For Business → ProtectionGrid For Large Corporates → ProtectionGrid For Law Enforcement → Intelligence For Governments → Intelligence
Home/ Technology/ Own Data Centres
Own Data Centres · European jurisdiction

No CLOUD Act.
No exceptions.

We operate our own infrastructure across four EU regions — on hardware we own, with personnel under European employment, governed by European law. Customer data never touches AWS, Azure or GCP. That's not a marketing claim. It's an engineering decision with operational consequences.

4 EU regions
Production sites in operation
100%
EU jurisdiction, no exceptions
Own hardware
Owned, not rented
EU personnel
Operated by European staff only
Why this matters

Most cybersecurity companies
are not actually sovereign.

Marketing pages claim "European data residency" everywhere. Look at where the infrastructure actually runs and you'll find the same three or four hyperscalers underneath, no matter what the website says.

Common practice

"European" hosted on US infrastructure

A European-headquartered cybersecurity vendor running on AWS Frankfurt is still subject to the US CLOUD Act. Amazon, Microsoft, and Google must comply with US legal process — including subpoenas and gag orders that prevent them from telling the customer.

The data may be stored in Frankfurt. The legal jurisdiction over it is American. Those are different things.

identiqa approach

Sovereignty as engineering, not marketing

We made the harder choice: own physical infrastructure in EU colocation facilities, owned by European entities, operated by European staff under European employment law, contracts governed exclusively by EU jurisdiction.

When US authorities ask AWS for European customer data, AWS has to respond. When they ask us, we have nothing to hand over — because we're not under their jurisdiction.

Where we operate

Four EU regions.
All under our control.

Production sites operating today. Each region has its own network capacity, power and cooling redundancy, and legal entity under local jurisdiction.

DE
Germany
Frankfurt am Main

Our primary German site — direct peering at DE-CIX (the world's largest internet exchange). Optimal for DACH customers requiring German jurisdiction and shortest network paths to German enterprise networks.

Tier
Primary
Peering
DE-CIX
Operator
EU Ops Ltd. (IE)
Jurisdiction
DE / EU
IE
Ireland
Dublin

Our headquarters jurisdiction. Direct peering at INEX. Optimal for customers requiring common-law contracts in English, Irish corporate jurisdiction, and direct network paths to Ireland's significant tech and financial sectors.

Tier
Primary
Peering
INEX
Operator
EU Ops Ltd. (IE)
Jurisdiction
IE / EU
PT
Portugal
Lisbon

Atlantic-facing capacity for Iberian customers and southern European routing. Strong submarine cable connectivity to Latin America makes this the optimal site for customers with cross-Atlantic requirements that must stay outside US jurisdiction.

Tier
Active
Peering
GigaPIX
Operator
EU Ops Ltd. (IE)
Jurisdiction
PT / EU
CY
Cyprus
Nicosia

Eastern Mediterranean site for customers in southeastern Europe and the Middle East periphery. Houses our Identiqa IP entity. Sub-millisecond connectivity to regional financial hubs and submarine cable access toward MEA markets.

Tier
Active
Peering
CYIX
Operator
IP Ltd. (CY)
Jurisdiction
CY / EU
Operating principles

Five rules we don't break.

These are the constraints we run our infrastructure under. They aren't aspirations or roadmap items — they're operational rules with no exceptions.

01

No US-jurisdiction infrastructure dependencies.

Not for inference. Not for storage. Not for backups. Not for monitoring. Not for "non-sensitive" workloads. Every system that touches customer data runs on hardware we own in EU colocation facilities — never AWS, Azure, GCP, Oracle Cloud, or any other US-headquartered hyperscaler.

02

EU personnel only have production access.

Engineers, SRE staff, and security operators with production access are employed by EU entities under EU employment law, are EU residents, and are background-checked. Non-EU contractors may contribute to development environments — never to production systems holding customer data.

03

Single-tenant available for sovereignty-critical customers.

Standard deployments are multi-tenant on shared infrastructure. For financial institutions, government bodies, KRITIS operators, and similar customers, dedicated single-tenant clusters are available — your infrastructure, your hardware, isolated network paths, documented separately for compliance evidence.

04

Audit trails for every operational action.

Every administrative action — data access, configuration change, deployment, incident response — is logged immutably with operator identity, timestamp, action, and justification. Customers can request audit reports specific to their tenant on demand or scheduled monthly to compliance teams.

05

Region locking is enforceable, not just promised.

For customers with hard data-residency requirements, traffic and storage can be locked to a specific region or even a single facility — enforced at the network and storage layers, not just at the application layer. Documented configuration is provided as compliance evidence, not as a marketing claim.

Frameworks & standards

Aligned with what your regulator asks for.

Our infrastructure setup is designed to provide direct compliance evidence for the frameworks your auditors and regulators reference.

NIS2
EU Directive

Directly supports the cyber hygiene, supply-chain security, and incident reporting requirements for essential and important entities under NIS2.

DORA
EU Financial

Operational resilience and ICT third-party risk management requirements for EU financial services. Our sovereign infrastructure simplifies third-party risk assessment significantly.

GDPR
EU Data Protection

Data residency, controller/processor obligations, and Article 28 processing agreements all supported with EU-only data flows and EU-jurisdiction contracts.

ISO 27001
International

Information security management system aligned with ISO 27001 controls. Audit reports available under NDA for customer compliance reviews.

BSI C5
Germany

German Federal Office for Information Security cloud computing compliance criteria — directly relevant for German federal and state government customers.

EU Cloud CoC
European Commission

European Code of Conduct for Cloud Service Providers supporting GDPR Article 40 compliance attestations for cloud services in the EU.

SOC 2 Type II
USA

Service organization controls audit covering security, availability, confidentiality, and privacy — useful for US-headquartered customers operating in EU.

NESA
UAE

National Electronic Security Authority Information Assurance Standards — relevant for our planned UAE expansion and Gulf-region customer engagements.

For procurement & compliance

Questions compliance teams ask.

Does the US CLOUD Act apply to identiqa?
No. The CLOUD Act applies to "covered providers" subject to US jurisdiction — typically US-headquartered companies or those with substantial US operations. identiqa is structured as European entities (Ireland holding, country-specific operating entities) with no US legal presence that would make us a covered provider. We have no US subsidiary, no US data centres, no US employees with operational access to production systems. US authorities have no legal basis to compel disclosure of customer data to identiqa, full stop.
What about your suppliers — do they introduce US jurisdiction?
We assess every supplier in the data path for jurisdictional exposure. Hardware vendors (servers, networking) are mostly global, but they don't hold customer data — they sell us equipment and their jurisdiction is irrelevant after delivery. Software dependencies are reviewed; where critical components have US jurisdictional ties (e.g., support contracts), we either replace them, run them air-gapped from production data flows, or ensure they have no operational access to customer data. This review is documented and updated quarterly.
Can you prove to my auditor that data really stays in the EU?
Yes. We provide auditors with: network architecture diagrams showing data flow paths, tenant isolation documentation, region-locking configuration evidence, employee access records (for your tenant only), and infrastructure inventories with physical location and operator entity. For ISO 27001 / SOC 2 / DORA audits, we provide control evidence packages directly. Customers can also request annual third-party audit attestations as part of their compliance program.
What if I need data residency in a specific country, not just EU?
Single-country residency is available for all four production regions today (DE, IE, PT, CY). For other EU member states with specific regulatory requirements, we can deploy customer-specific single-tenant infrastructure at an additional regional facility — typical setup time is 8-12 weeks including jurisdictional review and contract structuring. This is most common for German federal, state, and KRITIS customers requiring strict in-country residency.
How do you handle backups and disaster recovery without leaving the EU?
Backups stay in EU regions. Standard deployments use cross-region backup between two of our four EU sites — chosen to maximize geographic separation while remaining within EU jurisdiction. Customers requiring single-country deployments get backup configurations within that country (e.g., DE primary + DE secondary). We don't use third-party backup services like S3 Glacier or Azure Backup — backups run on our own storage in our own facilities.
What about the Data Privacy Framework — wouldn't that solve the CLOUD Act issue?
The EU-US Data Privacy Framework (replacing Privacy Shield, replacing Safe Harbor) addresses GDPR adequacy for US data transfers — but it doesn't address CLOUD Act applicability. Schrems II made clear that even with adequacy frameworks, US surveillance laws applying to "covered providers" remain a structural concern. Our approach sidesteps this entirely: by not being a covered provider and not transferring data to the US, the question of whether DPF is "good enough" doesn't arise.
What happens if you go bankrupt or get acquired?
Customer contracts include data portability provisions and continuation clauses. In the event of acquisition by a US-headquartered entity (which we have no current plans for and would avoid for the sovereignty story), customers have contractually-guaranteed exit rights and a minimum notice period to migrate data. Insolvency scenarios trigger pre-arranged data portability procedures. These provisions are documented in the master service agreement and reviewed in procurement processes.

Need to walk this through with your auditor?

Our compliance and infrastructure teams run technical deep-dives covering data flow architecture, jurisdictional analysis, single-tenant deployment options, and direct evidence for your specific regulatory framework. Typically 60-90 minutes, NDA, no marketing.

Request technical session Back to Technology overview →