· 3 min read
The CLOUD Act and AI: why server location alone is not enough
Many US cloud providers advertise EU data centers. For AI projects handling sensitive company data, that falls short — what matters is whose law governs the provider.
When companies roll out AI today, the data protection officer usually asks one question first: where is our data processed? The standard answer from many vendors is: “in an EU data center.” That sounds reassuring — but it answers the wrong question.
What the CLOUD Act regulates
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US federal law from 2018. Its core: US authorities can compel providers subject to US jurisdiction to hand over stored data — regardless of where in the world that data resides.
In practice this means: if a US cloud provider operates a data center in Frankfurt, the location changes nothing about the law’s reach. The disclosure obligation attaches to the company, not to the server location.
The tension with the GDPR
Article 48 of the GDPR states that disclosure orders from third countries are generally only recognized if based on international agreements (such as mutual legal assistance treaties). A US provider with an EU data center can therefore end up in a situation where US law demands disclosure and EU law prohibits it.
Even with the EU-US Data Privacy Framework, which governs commercial data transfers, this underlying conflict remains: it is a question of jurisdiction over the provider, not of storage location or a certificate. How individual cases play out is the subject of ongoing legal debate — for companies, a structural legal uncertainty remains that they cannot resolve themselves.
(Note: this article is not legal advice. For a binding assessment, talk to your data protection counsel.)
Why this weighs more heavily with AI
With classic SaaS tools, often only metadata or individual documents sit with the vendor. An AI work platform is different: prompts, internal documents, contracts, customer data and your accumulated company knowledge flow through the provider’s systems — precisely the data most worth protecting.
The deeper AI is integrated into daily work, the bigger the difference becomes between “data center in the EU” and “provider under EU law.”
What companies should look for
A short checklist for vendor selection:
- Provider jurisdiction: Is the operating company (and its parent) an EU entity — or subject to US law?
- Model hosting: Do the AI models themselves run in the EU with EU providers? Or do prompts go to US services via API?
- Subprocessors: Is the list complete, current and public? Do US services appear hidden in the data path?
- Co-determination: Can the provider demonstrate that managers and administrators have no access to employees’ content? (For works councils, often the decisive point.)
- Deletion concept: Is deletion a real hard delete — or a soft-delete graveyard?
- Exit capability: Is there a self-hosting option, or at least a complete data export?
How FutureWay AI solves this
We built FutureWay AI from the start so that this checklist stays short: the platform runs on European infrastructure, all AI models are hosted and operated in France, the subprocessor list is complete and public — 100% of AI processing in the EU. Administrators never see their members’ chat contents, deletion is an immediate hard delete, and on request you can run the entire platform self-hosted in your own infrastructure.
If you want to roll out AI without buying into the jurisdiction problem: try FutureWay AI free for 14 days — no credit card required.
