Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program. BUSINESS plan free for life.
ENCRYPTION CONTROL

Sovereign by design, not by certificate.

You run it on your servers. You hold the only keys. A US-owned provider can't hand over data it never had.

Every big cloud sells "sovereignty." None can keep your data out of US court orders. We can.

Claim Design Partner See sovereignty features →
Inspecting key custody chain for all repositories...
KEY ID CUSTODY HSM ESCROWED JURISDICTION
prod-main-v3 customer YubiHSM 2 NO customer-premises
prod-db-v2 customer YubiHSM 2 NO customer-premises
staging-main-v1 customer software NO customer-premises
backup-archive-v4 customer YubiHSM 2 NO customer-premises

Illustrative output; actual runs may include extra logs.

0
Keys escrowed to any provider
100%
Customer key custody
EU-only
Operator jurisdiction
THE PROBLEM

Your cloud provider can hand over your data. You just won't be told.

Here's the part nobody likes to say out loud. A US-owned cloud must obey US court orders, even for data kept in Europe. That is the CLOUD Act. A contract can't beat a law. So the real question isn't whether your provider would hand your data over. It's whether they can be forced to. They can.

"No, I cannot guarantee" Microsoft France's top legal director, under oath, on whether French data in EU Microsoft datacenters is safe from US authorities French Senate, 18 June 2025 [1]
€12.6B EU sovereign cloud spending in 2026, rising to €23.1B in 2027. The market has decided sovereignty is not optional. Gartner, February 2026 [2]
0 US primaries Cloud III: the European Commission's €180M sovereign cloud contract went to four EU groups. Zero US-headquartered lead contractors. European Commission, 17 April 2026 [3]
THE OLD WAY
Day 1 Sign a contract with a US-owned cloud provider
Month 1 Your data protection officer flags a GDPR transfer risk
Month 3 Legal checks your CLOUD Act exposure. No guarantee is possible.
Month 6 Regulator audit. Data residency confirmed. Sovereignty is not.
Result Residency, not sovereignty. Compliance gap remains.
WITH REDIACC
Host it on your own servers
Hold your own keys
CLOUD Act cannot reach you
THE REAL COST

What does US-jurisdictional exposure cost you?

Drag the sliders to match your environment. See the real cost of sovereignty gaps.

Sovereignty exposure calculator

US-JURISDICTIONAL
GDPR transfer-risk exposure€5,000
Data Act 2027 exit penalty risk€50,000
DORA Article 12 testing cost€8,000
Annual sovereignty exposure
€63,000
WITH REDIACC
GDPR transfer-risk exposure€0
Data Act 2027 exit penalty risk€0
DORA Article 12 testing cost€800
Annual sovereignty exposure
€800
Transfer risk: records × €0.04 × 10% probability of regulatory scrutiny. Exit penalty: 10% of hyperscaler spend as estimated switching-cost ceiling per Data Act Article 25 (zero-charge deadline 12 January 2027). DORA testing: hours × €200/hr engineer cost. With Rediacc: self-hosted eliminates transfer risk; open format eliminates exit penalty; constant-time fork reduces DORA recovery testing to minutes regardless of repo size.
HOW IT WORKS

Three steps. One sovereign stack.

1

Host

Run it on your own servers, an EU cloud, or both. Rediacc is an Estonian company. No US parent. No US control panel. Nothing for a US court order to reach.

2

Hold keys

Your keys never leave your hands. They are made on your side, not ours. We never see your data unscrambled. You can check who holds each key with one command.

3

Prove it

Run one command. You get a signed report on who holds every key. It satisfies the main EU rules: SecNumCloud 3.2, BSI C5:2026, the ANSSI-BSI joint declaration, and EDPB Recommendations 01/2020 Use Case 2.

US Hyperscaler CLOUD Act exposed
S3 Bucket US-controlled
KMS Key vendor-held
IAM Policy US-governed
Audit Log US-accessible
Contractual residency Not sovereignty
Migrate
Open format
Your Sovereign Stack EU jurisdiction
Your Storage Customer-owned
Your Keys Customer HSM
Your Policy EU-governed
Audit Chain SHA-256 signed
Architectural sovereignty CLOUD Act immune
UNDER THE HOOD

Why data residency is not data sovereignty

A US-owned provider can keep your data in Frankfurt and still be forced by US courts to give it up. Our setup removes that risk at the root. There are no keys for us to hand over. There is no phone-home channel to tap.

Provider answers to US courts no matter where the data sits
Estonian operator. No US parent. Nothing for the CLOUD Act to reach.
Vendor holds the keys. It can unscramble your data on legal demand.
Keys made on your side. The vendor never holds them, so there's nothing to seize.
Data requests logged by the vendor, hidden from you
SHA-256 signed audit log. Every key access is recorded and you can read it.
Locked backup format. Leaving means a vendor-run migration.
Open format (btrfs send, tar). Your exit is just a working copy. Data Act compliant.
Recovery testing grows with data size. Days for large repos.
Instant copy via btrfs. 100 GB and 100 TB copy in the same seconds.
WHY IT MATTERS

What you get

CLOUD Act immunity, built in

No US parent company. No keys parked with a vendor. The design itself is the defense. The Carniaux testimony to the French Senate (18 June 2025) ended the idea that a contract can replace real immunity.

EU Data Act 2027 ready

Open data format. No fees to leave, ever. Every backup is a working copy you can pick up and move. You meet Data Act Articles 23-31 well before the 12 January 2027 deadline that bans switching charges.

SecNumCloud and C5:2026 aligned

You match all four parts of the ANSSI-BSI joint declaration (17 November 2025). Your data stays in the EU. Only EU law applies. No outside power can reach it. And you keep running without any non-EU tools.

THE GAP

Sovereignty compared

Most vendors offer data residency. That just means where your data sits. None give you what we do by design: you hold the keys, an EU-only operator, and real CLOUD Act immunity.

Capability VeeamRubrikAWS SovereignMicrosoft BleuKeepit Rediacc
CLOUD Act immunity (no US parent company) [4] [4] [4]
You hold the keys (provider can't read your data) [5] [5]
EU-only operator (no US parent company) [4] [4] [4] [6]
SecNumCloud / C5:2026 certification path [7]
Open exit format (Data Act Art. 30) [8] [8] [8] [8]
Self-hosted on your own servers [9]
EU data residency by default [10] [13]
After the Carniaux Senate testimony in June 2025, our SecNumCloud audit committee asked one question: can you prove your backup provider cannot be compelled to disclose patient data to US authorities? With Microsoft Azure Backup, we could not answer that. With Rediacc, the answer is architectural: the keys never leave our HSM, the operator has no US parent, and we can generate a signed custody report in thirty seconds. That is the only answer that satisfies ANSSI.
BEFORE
Transfer risk
AFTER
CLOUD Act immune
Microsoft Azure Backup replaced · Key custody: vendor to customer · ANSSI audit: passed

Stop renting your own data back from a US-owned provider.

Start with the free Community edition. No credit card. Run your first key-custody check in under a minute.

Claim Design Partner
$ rdc audit log --limit 50

Short on time?

Skip the deep-dive. Grab the five-minute version your team can read at a stand-up.

Download short brief (PDF)
Self-host any app, hold every key
Databases, mail servers, CI/CD, ERP, CMS, and AI model stores. Every app stays sovereign. Every key stays yours.

Explore Other Solutions

Encryption Control

Encryption You Control

Your keys. Your encryption. No exceptions.

 Encryption Control

Audit Trail

Every action logged. Nothing hidden.

 Encryption Control

Migration Safety

Migrate without risking your data

 Ransomware Survival

Immutable Backups

Backups that ransomware can't touch

 Multi Cloud

Cloud Outage Protection

When AWS goes down, you don't

 Verified Backups

Vendor Lock-In Escape

Exit any vendor. Keep your data.

 Verified Backups

Retention Compliance

Meet every retention mandate automatically

 Development Environments

Environment Cloning

Clone production in 60 seconds
Sources & References
  1. Microsoft France Director of Public and Legal Affairs Anton Carniaux, French Senate inquiry on public procurement and digital sovereignty, 18 June 2025: "No, I cannot guarantee that, but, again, it has never happened before." Reported by The Register, 25 July 2025. www.theregister.com
  2. Gartner, February 2026: European sovereign cloud IaaS spending forecast at $12.6B in 2026 and $23.1B in 2027, surpassing North America by 2027. www.gartner.com
  3. European Commission, "Commission Advances Cloud Sovereignty Through Strategic Procurement," 17 April 2026. Cloud III €180M tender awarded to Post Telecom + OVHcloud + CleverCloud, STACKIT, Scaleway, and Proximus + S3NS + Clarence + Mistral AI. Zero US-headquartered primary contractors. commission.europa.eu
  4. CLOUD Act (Clarifying Lawful Overseas Use of Data Act), 18 U.S.C. 2713, 2018. Authorises US authorities to compel US-jurisdictional providers to disclose customer data stored anywhere in the world. www.justice.gov
  5. EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, June 2021. Use Case 2: encryption as supplementary measure requires customer-exclusive key custody and technical unintelligibility at the importer. www.edpb.europa.eu
  6. Keepit A/S, Copenhagen. SaaS-only backup for Microsoft 365, Salesforce, and Google Workspace. EU-incorporated, no US parent. Does not back up self-hosted or on-prem workloads. keepit.com
  7. ANSSI SecNumCloud 3.2 qualification requirements. Providers must be majority EU-owned, EU-headquartered, and immune to extraterritorial law. Non-EU shareholders capped at 25% individually and 39% collectively. AWS Sovereign Cloud and Microsoft Bleu do not qualify. www.ssi.gouv.fr
  8. EU Data Act (Regulation (EU) 2023/2854), Articles 23-31. Operative since 12 September 2025. Full prohibition on switching charges from 12 January 2027. Providers must ensure functional equivalence after switching. eur-lex.europa.eu
  9. Veeam Backup and Replication supports on-premises self-hosted deployment. Veeam does not hold direct sovereignty certifications; EU sovereignty story depends on partner IaaS (notably OVHcloud). helpcenter.veeam.com
  10. AWS European Sovereign Cloud, GA 15 January 2026. Operates under four German GmbHs. US-headquartered parent (Amazon.com Inc.) remains subject to CLOUD Act. aws.amazon.com
  11. ANSSI-BSI joint statement on cloud sovereignty criteria, 17 November 2025. Four disqualifying criteria: strict data and support localisation, exclusive application of European law, absence of unauthorised access by extra-European third parties, and capacity to maintain business continuity without non-EU technologies. www.bsi.bund.de
  12. European Supervisory Authorities, "Designation of Critical ICT Third-Party Providers under DORA," 18 November 2025. First 19 CTPPs designated include AWS, Microsoft Azure, Google Cloud, IBM, Oracle, SAP, Salesforce. www.eiopa.europa.eu
  13. Keepit data residency policy: customer data stored exclusively in EU datacentres (Frankfurt, Amsterdam, Copenhagen). SaaS-only model with EU-only operator and EU-only storage. www.keepit.com
Calculator estimates use industry-standard cost models; actual exposure varies by jurisdiction, contract structure, and breach scenario.