Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program — BUSINESS plan free for life
ENCRYPTION CONTROL

Sovereign by architecture, not by certificate.

You host it. You hold the keys. No US-jurisdictional provider can be compelled to hand over what they don't have.

Every hyperscaler markets sovereignty. None can guarantee your data stays out of US court orders. Rediacc does.

Claim Design Partner See sovereignty features → →
Inspecting key custody chain for all repositories...
KEY ID CUSTODY HSM ESCROWED JURISDICTION
prod-main-v3 customer YubiHSM 2 NO customer-premises
prod-db-v2 customer YubiHSM 2 NO customer-premises
staging-main-v1 customer software NO customer-premises
backup-archive-v4 customer YubiHSM 2 NO customer-premises

Illustrative output; actual runs may include extra logs.

0
Keys escrowed to any provider
100%
Customer key custody
EU-only
Operator jurisdiction
THE PROBLEM

Your cloud provider can hand over your data. You just won't be told.

US-jurisdictional cloud providers are legally required to comply with CLOUD Act orders, even for data stored in EU datacentres. Contractual commitments cannot override US statute. The question is not whether your provider would. It is whether they legally could.

"No, I cannot guarantee" Microsoft France's Director of Public and Legal Affairs, under oath, on whether French citizen data in EU Microsoft datacentres would be protected from US authorities French Senate, 18 June 2025 [1]
€12.6B EU sovereign cloud IaaS spending in 2026, rising to €23.1B in 2027. The market has decided sovereignty is not optional. Gartner, February 2026 [2]
0 US primaries Cloud III: the European Commission's €180M sovereign cloud tender was awarded to four EU consortia. Zero US-headquartered prime contractors. European Commission, 17 April 2026 [3]
THE OLD WAY
Day 1 Sign contract with US-jurisdictional cloud provider
Month 1 DPO flags GDPR transfer risk; TIA required
Month 3 Legal reviews CLOUD Act exposure; no guarantee possible
Month 6 Regulator audit; data residency confirmed, sovereignty not
Result Residency, not sovereignty. Compliance gap remains.
WITH REDIACC
Host on your infrastructure
Hold your own keys
CLOUD Act cannot reach you
THE REAL COST

What does US-jurisdictional exposure cost you?

Drag the sliders to match your environment. See the real cost of sovereignty gaps.

Sovereignty exposure calculator

US-JURISDICTIONAL
GDPR transfer-risk exposure€5,000
Data Act 2027 exit penalty risk€50,000
DORA Article 12 testing cost€8,000
Annual sovereignty exposure
€63,000
WITH REDIACC
GDPR transfer-risk exposure€0
Data Act 2027 exit penalty risk€0
DORA Article 12 testing cost€800
Annual sovereignty exposure
€800
Transfer risk: records × €0.04 × 10% probability of regulatory scrutiny. Exit penalty: 10% of hyperscaler spend as estimated switching-cost ceiling per Data Act Article 25 (zero-charge deadline 12 January 2027). DORA testing: hours × €200/hr engineer cost. With Rediacc: self-hosted eliminates transfer risk; open format eliminates exit penalty; constant-time fork reduces DORA recovery testing to minutes regardless of repo size.
HOW IT WORKS

Three steps. One sovereign stack.

1

Host

Deploy on your own hardware, your EU IaaS provider, or any combination. Rediacc OE is incorporated in Estonia; no US parent, no US control plane, no CLOUD Act surface.

2

Hold keys

Encryption keys never leave your custody. Key derivation is client-side. Rediacc never sees plaintext. The custody chain is auditable per key via CLI.

3

Prove it

Generate a signed key-custody report with one command. Aligns with SecNumCloud 3.2, BSI C5:2026, ANSSI-BSI joint declaration, and EDPB Recommendations 01/2020 Use Case 2.

US Hyperscaler CLOUD Act exposed
S3 Bucket US-controlled
KMS Key vendor-held
IAM Policy US-governed
Audit Log US-accessible
Contractual residency Not sovereignty
Migrate
Open format
Your Sovereign Stack EU jurisdiction
Your Storage Customer-owned
Your Keys Customer HSM
Your Policy EU-governed
Audit Chain SHA-256 signed
Architectural sovereignty CLOUD Act immune
UNDER THE HOOD

Why data residency is not data sovereignty

A US-jurisdictional provider can store your data in Frankfurt and still be compelled by US courts to disclose it. Rediacc's architecture removes the compulsion vector entirely: there are no keys to hand over, and no call-home channel to intercept.

Provider subject to US jurisdiction regardless of where ciphertext sits
Operator incorporated in Estonia; no US parent, no CLOUD Act compulsion surface
Vendor-managed KMS: provider can materialise plaintext on legal demand
Client-side key derivation: vendor never holds keys; compulsion is technically futile
Cross-border data requests logged by vendor, not visible to customer
SHA-256 signed audit chain: every key access and request logged, customer-readable
Proprietary backup format: exit requires vendor-tooled migration
Open format (btrfs send, tar): exit equals a working replica, Data Act compliant
DORA recovery testing scales with data volume; multi-day for large repos
Constant-time fork via btrfs reflink: 100 GB and 100 TB fork in the same seconds
WHY IT MATTERS

What you get

CLOUD Act immunity by construction

No US-jurisdictional parent. No vendor key escrow. The architecture is the defence. The Carniaux Senate testimony (18 June 2025) closed any remaining argument that contracts substitute for jurisdictional immunity.

EU Data Act 2027 ready

Open data format and zero switching charges by construction. Every backup is a portable, working replica. Full compliance with Data Act Articles 23-31 before the 12 January 2027 zero-switching-charge deadline.

SecNumCloud and C5:2026 aligned

Four-pillar posture matches the ANSSI-BSI joint declaration of 17 November 2025: strict data localisation, exclusive EU law application, absence of extra-European access, and business continuity without non-EU dependencies.

THE GAP

Sovereignty compared

Most vendors offer data residency. None can offer what Rediacc delivers by architecture: customer key custody, EU-only operator, and CLOUD Act immunity.

Capability VeeamRubrikAWS SovereignMicrosoft BleuKeepit Rediacc
CLOUD Act immunity (no US-jurisdictional parent) [4] [4] [4]
Customer holds keys (technical unintelligibility) [5] [5]
EU-only operator (no US parent company) [4] [4] [4] [6]
SecNumCloud / C5:2026 attestation path [7]
Open exit format (Data Act Art. 30) [8] [8] [8] [8]
Self-hosted on customer infrastructure [9]
EU data residency by default [10] [13]
After the Carniaux Senate testimony in June 2025, our SecNumCloud audit committee asked one question: can you prove your backup provider cannot be compelled to disclose patient data to US authorities? With Microsoft Azure Backup, we could not answer that. With Rediacc, the answer is architectural: the keys never leave our HSM, the operator has no US parent, and we can generate a signed custody report in thirty seconds. That is the only answer that satisfies ANSSI.
Microsoft Azure Backup replaced · Key custody: vendor to customer · ANSSI audit: passed

Stop renting your data back from a US-jurisdictional provider.

Start with the free Community edition. Run your first key-custody audit in under a minute.

Claim Design Partner
$ rdc audit log --limit 50

Short on time?

Skip the deep-dive. Grab the five-minute version your team can read at a stand-up.

Download short brief (PDF)
Self-host any workload, hold every key
Databases, mail servers, CI/CD, ERP, CMS, and AI model stores: every workload sovereign, every key yours.

Explore Other Solutions

Encryption Control

Encryption You Control

Your keys. Your encryption. No exceptions.

 Encryption Control

Audit Trail

Every action logged. Nothing hidden.

 Encryption Control

Migration Safety

Migrate without risking your data

 Ransomware Survival

Immutable Backups

Backups that ransomware can't touch

 Multi Cloud

Cloud Outage Protection

When AWS goes down, you don't

 Verified Backups

Vendor Lock-In Escape

Exit any vendor. Keep your data.

 Verified Backups

Retention Compliance

Meet every retention mandate automatically

 Development Environments

Environment Cloning

Clone production in 60 seconds
Sources & References
  1. Microsoft France Director of Public and Legal Affairs Anton Carniaux, French Senate inquiry on public procurement and digital sovereignty, 18 June 2025: "No, I cannot guarantee that, but, again, it has never happened before." Reported by The Register, 25 July 2025. www.theregister.com
  2. Gartner, February 2026: European sovereign cloud IaaS spending forecast at $12.6B in 2026 and $23.1B in 2027, surpassing North America by 2027. www.gartner.com
  3. European Commission, "Commission Advances Cloud Sovereignty Through Strategic Procurement," 17 April 2026. Cloud III €180M tender awarded to Post Telecom + OVHcloud + CleverCloud, STACKIT, Scaleway, and Proximus + S3NS + Clarence + Mistral AI. Zero US-headquartered primary contractors. commission.europa.eu
  4. CLOUD Act (Clarifying Lawful Overseas Use of Data Act), 18 U.S.C. 2713, 2018. Authorises US authorities to compel US-jurisdictional providers to disclose customer data stored anywhere in the world. www.justice.gov
  5. EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, June 2021. Use Case 2: encryption as supplementary measure requires customer-exclusive key custody and technical unintelligibility at the importer. www.edpb.europa.eu
  6. Keepit A/S, Copenhagen. SaaS-only backup for Microsoft 365, Salesforce, and Google Workspace. EU-incorporated, no US parent. Does not back up self-hosted or on-prem workloads. keepit.com
  7. ANSSI SecNumCloud 3.2 qualification requirements. Providers must be majority EU-owned, EU-headquartered, and immune to extraterritorial law. Non-EU shareholders capped at 25% individually and 39% collectively. AWS Sovereign Cloud and Microsoft Bleu do not qualify. www.ssi.gouv.fr
  8. EU Data Act (Regulation (EU) 2023/2854), Articles 23-31. Operative since 12 September 2025. Full prohibition on switching charges from 12 January 2027. Providers must ensure functional equivalence after switching. eur-lex.europa.eu
  9. Veeam Backup and Replication supports on-premises self-hosted deployment. Veeam does not hold direct sovereignty certifications; EU sovereignty story depends on partner IaaS (notably OVHcloud). helpcenter.veeam.com
  10. AWS European Sovereign Cloud, GA 15 January 2026. Operates under four German GmbHs. US-headquartered parent (Amazon.com Inc.) remains subject to CLOUD Act. aws.amazon.com
  11. ANSSI-BSI joint statement on cloud sovereignty criteria, 17 November 2025. Four disqualifying criteria: strict data and support localisation, exclusive application of European law, absence of unauthorised access by extra-European third parties, and capacity to maintain business continuity without non-EU technologies. www.bsi.bund.de
  12. European Supervisory Authorities, "Designation of Critical ICT Third-Party Providers under DORA," 18 November 2025. First 19 CTPPs designated include AWS, Microsoft Azure, Google Cloud, IBM, Oracle, SAP, Salesforce. www.eiopa.europa.eu
  13. Keepit data residency policy: customer data stored exclusively in EU datacentres (Frankfurt, Amsterdam, Copenhagen). SaaS-only model with EU-only operator and EU-only storage. www.keepit.com
Calculator estimates use industry-standard cost models; actual exposure varies by jurisdiction, contract structure, and breach scenario.