Atlan EU Alternative 2026: The Active Metadata Platform Under Dual Jurisdiction — The Singapore Paradox

Post #1280 in the sota.io EU Data Governance Series

"We're a Singapore company." It is Atlan's most direct response to EU data sovereignty questions — and it is one of the most structurally misleading answers in enterprise software. Atlan Pte. Ltd. is a Singapore entity. Atlan's board decisions, investor relationships, capital structure, and operating company are structured through Atlan Inc., a Delaware C-Corporation headquartered in San Francisco, California. The Singapore incorporation is real. The sovereignty protection it confers is not.

This is the Singapore Paradox: incorporating an operating entity in a jurisdiction with a privacy framework is not equivalent to achieving data sovereignty. Singapore's Personal Data Protection Act (PDPA) governs how Singapore entities handle personal data. The US CLOUD Act governs how US corporate entities respond to US government demands for data held by them or their affiliates — regardless of where that data physically resides, regardless of which subsidiary signed the customer contract.

When a US District Court issues a warrant under 18 U.S.C. § 2703 directed at Atlan Inc., Delaware, the Singapore Pte. Ltd. structure does not intercept it. Atlan's investors — Insight Partners (New York) and Sequoia Capital (Menlo Park, California) — do not provide Singapore PDPA cover. They provide US venture capital governance over a US-incorporated operating company.

The second dimension of the Atlan problem is categorical. Where Alation built a data intelligence platform that accumulated operational intelligence about your data estate, Atlan built an Active Metadata Platform that adds a layer of behavioural capture that conventional data catalogs do not approach. Every query your analysts run, every data asset they discuss in Atlan's embedded collaboration workspace, every natural language question they pose to Atlan AI — these interactions are logged, analysed, and stored in a US-incorporated platform that Insight Partners and Sequoia Capital control. For EU enterprises processing personal data under GDPR, this is not a metadata problem. It is a governance infrastructure problem.

Atlan Inc. — Corporate Anatomy of the Dual Structure

Atlan was founded in 2019 by Prukalpa Sankar and Varun Banka, both based in Singapore at founding. The company originated as a data collaboration startup before pivoting to the enterprise data catalog market in 2021 when it launched its Active Metadata Platform.

The corporate structure has two layers that matter for EU sovereignty analysis:

Layer 1 — Atlan Pte. Ltd. is a Singapore private limited company. It is the entity that customers in Asia-Pacific most often engage with for contracts and is the legal entity most prominently featured in Atlan's marketing around data sovereignty. Singapore's PDPA applies to this entity's handling of personal data within Singapore.

Layer 2 — Atlan Inc. is a Delaware C-Corporation, headquartered at 95 Third Street, 2nd Floor, San Francisco, California 94103. This is the operating company: the entity that holds the majority of Atlan's intellectual property, employs the US-based leadership team, manages investor relationships, and is the legal entity through which US venture capital rounds are structured. Atlan Inc. falls under CLOUD Act jurisdiction in its entirety.

The interplay between the two layers does not create a sovereignty firewall. US law does not permit a Delaware C-Corporation to defeat a lawfully issued US government demand for data by pointing to a Singapore subsidiary. The CLOUD Act explicitly addresses extraterritorial data: a US company must comply with a warrant "regardless of whether such communication, record, or other information is located within or outside of the United States." A Singapore Pte. Ltd. that operates as part of the same corporate enterprise as a US C-Corp does not create a different legal person for CLOUD Act purposes.

Funding Structure:

Atlan has raised approximately USD 200 million across its funding history:

• Seed (2019): Undisclosed — early Singapore-focused investors
• Series A (2021): USD 16M — Sequoia Capital (Menlo Park, CA), Salesforce Ventures (San Francisco, CA)
• Series B (2022): USD 50M — Insight Partners (New York, NY), Sequoia Capital, Salesforce Ventures, GIC (Government of Singapore Investment Corporation)
• Series C (2023): USD 105M — Insight Partners (New York, NY), Sequoia Capital, GIC, Meritech Capital

The investor composition requires particular attention because it is often misread in sovereign analysis.

GIC — Singapore Sovereign Wealth Fund — Does Not Help: GIC's investment in Atlan is frequently cited as evidence of Singapore sovereign alignment. This reading is incorrect for US CLOUD Act purposes. GIC is a Singapore state-controlled investment vehicle. Its investment in Atlan does not transform Atlan Inc. into a Singapore sovereign entity. GIC holds no board control authority sufficient to override Insight Partners and Sequoia in governance decisions. A US government CLOUD Act demand directed at Atlan Inc., Delaware does not become a demand directed at a Singapore sovereign entity merely because GIC holds minority equity. GIC's participation does not create CLOUD Act immunity — it creates Singapore's pension capital participation in a US-structured corporate enterprise.

Insight Partners — New York Private Equity — Controls the Board: Insight Partners, headquartered at 1114 Avenue of the Americas, New York, NY 10036, is the lead investor across Series B and Series C. In venture capital structures, lead investors at this scale typically hold board seats, pro-rata rights, information rights, and protective provisions. Insight Partners manages approximately USD 90 billion in assets under management across growth-stage software companies. Its portfolio includes more than 700 companies. Insight Partners is subject to US securities law, US tax law, and US regulatory oversight. Its governance authority over Atlan Inc. is exercised from New York.

Sequoia Capital — Menlo Park — Controls Technology Strategy: Sequoia Capital's Series A lead position established foundational governance rights that persist through subsequent rounds. Sequoia's US flagship funds (Sequoia Capital LP, Menlo Park, CA) manage capital raised from US institutional investors — university endowments, pension funds, foundations — that are themselves subject to US regulatory regimes. Sequoia's presence in Atlan's governance structure connects Atlan's technology roadmap decisions to US capital markets infrastructure.

The dual corporate structure, read through a US CLOUD Act framework, resolves cleanly: Atlan Inc. is a US company. Its Singapore Pte. Ltd. affiliate does not change that.

Why Active Metadata Changes the Sovereignty Calculus Categorically

The term "Active Metadata" is Atlan's foundational product differentiation. Understanding what it means in technical terms is essential for sovereignty analysis, because the data that Atlan's platform captures is categorically more sensitive than what a conventional data catalog stores.

Conventional data catalog (passive): Stores schema metadata — table names, column names, data types, primary keys, foreign key relationships, row counts. Stores lineage graphs — where data originated, what transformations were applied, where it was consumed. This is structural metadata. Sensitive, but predictable in scope.

Active Metadata Platform: Captures a continuous stream of behavioural metadata that a conventional catalog does not touch:

Query Behavioural Analytics. Atlan integrates directly with Snowflake, Databricks, BigQuery, Redshift, and other query engines via query log APIs. Every SQL query executed against your data warehouse is parsed, attributed to a user, associated with data assets in the catalog, and stored as a query event in Atlan. The platform builds data asset popularity scores based on query frequency. It builds user data consumption profiles based on which assets individuals access. For EU enterprises, this creates a behavioral record: which analyst queried the GDPR Article 9 special category data table, at what frequency, through which BI tool, correlated with which business events (quarter-end, audit periods, regulatory submissions).

Embedded Collaboration and Conversations. Atlan's platform includes a built-in collaboration layer — Slack-style threaded conversations embedded directly on data assets. A data analyst can open a thread on the customer_payments table: "Is this source-of-truth for DORA financial reporting or is it the Databricks version?" A data steward responds: "Use this one — it's certified for regulatory submissions. The Databricks pipeline had a lineage gap through Q3." These conversations — about which data assets underpin your regulatory reporting, where your compliance data actually comes from, which datasets have quality issues before audit submission — are stored in Atlan's platform as structured content associated with data assets. They constitute a log of your organisation's internal deliberations about data governance and compliance posture.

Ask AI — Natural Language Interaction Logs. Atlan AI (launched 2024) allows users to ask natural language questions about the data estate: "What tables contain customer PII that are consumed by the marketing analytics pipeline?" "Which datasets are tagged as in-scope for our NIS2 incident reporting obligations?" "Show me all tables that feed into our DORA-reportable key performance indicators." Every natural language query to Atlan AI is a structured data request that reveals compliance architecture intentions — what your organisation considers sensitive, which regulatory frameworks it is managing, what data relationships it is trying to understand. These query logs are stored in Atlan's platform.

Data Observability Integration. Atlan integrates with Monte Carlo, Soda, and other data observability platforms. Data quality alerts — schema drift warnings, null rate anomalies, row count deviations — are surfaced in the catalog context. A data quality alert on clinical_trial_results.primary_endpoint_value reveals that your organisation runs a clinical data pipeline significant enough to warrant observability instrumentation. The alert content, stored in Atlan, is a map of where your operationally critical data assets are and when they have quality events.

In combination, these Active Metadata streams constitute what is operationally a behavioural intelligence layer on top of your data estate. Not just what data exists — but how your organisation thinks about it, how it uses it, who is responsible for it, and when it is in a degraded state. All of this sits in a US-incorporated platform subject to CLOUD Act compelled disclosure.

CLOUD Act Exposure Score: 21/25

We apply the five-dimension CLOUD Act exposure framework consistent with the Collibra (17/25) and Alation (19/25) analyses from earlier in this series.

Dimension 1: US Corporate Structure — 5/5

Atlan Inc. is incorporated in Delaware. The operating company — the entity that holds intellectual property, signs US investor agreements, and employs US-based leadership — is a US corporation. The Singapore Pte. Ltd. structure does not create a non-US controlling entity for CLOUD Act purposes. There is no EU holding company, no EU data processor entity with genuine data control authority, and no structural mechanism that would defeat a US government demand for data.

Score: 5/5. Maximum applies.

Dimension 2: Investor and Institutional Dependencies — 5/5

The funding structure receives maximum exposure score because no EU investor holds significant governance authority.

Insight Partners (NY) leads Series B and Series C. The combined USD 155M invested across these rounds, combined with the typical lead investor governance rights in growth-stage enterprise software, positions Insight Partners as the primary governance authority over Atlan Inc.'s strategic decisions. Insight Partners is a New York private equity and venture capital firm managing USD 90B+ AUM under US regulatory oversight. No EU-facing mandate, no EU data protection obligations in its fund governance.

Sequoia Capital (Menlo Park, CA) established foundational governance through the Series A. Sequoia's flagship US funds operate under US securities law. Sequoia has observer board rights across most early-stage investments of this profile. Its influence on Atlan's technology roadmap, go-to-market strategy, and IPO timing persists from the Series A through all subsequent rounds.

Salesforce Ventures (San Francisco, CA) holds a strategic minority stake. Salesforce Inc. (NYSE: CRM) is a US public company subject to SEC reporting obligations, US tax law, and CLOUD Act jurisdiction. Salesforce Ventures' presence in Atlan's cap table creates a strategic partner dependency with a major US cloud enterprise platform.

GIC (Singapore) holds minority equity from Series B onwards. As analysed above, GIC participation does not create CLOUD Act immunity for Atlan Inc.

This investor composition is the most concentrated US-aligned investor syndicate in the data governance tools series to date. There is no EU institutional investor — no CDP (Caisse des Dépôts, France), no KfW Capital (Germany), no ISAI (France), no Speedinvest (Austria) — holding governance authority. The Board's primary governance principals are all US-based firms.

Score: 5/5. Maximum applies.

Dimension 3: Data Content Sensitivity — 4/5

Atlan's Active Metadata captures categorically more sensitive information than a conventional data catalog. As analysed in the Active Metadata section above: behavioural query logs, embedded conversations about compliance-sensitive data, AI query interaction logs, and data observability alerts combine to create a continuous behavioral intelligence stream about your organisation's data governance operations.

For EU enterprises subject to GDPR, NIS2, or DORA, this sensitivity is structural: the data that Atlan stores is not just a map of what sensitive data exists — it is a map of how your organisation manages, thinks about, and operationalises its compliance obligations. A CLOUD Act compelled disclosure of Atlan data provides US authorities with a complete picture of your regulatory compliance architecture.

The one factor preventing a 5/5 score: Atlan does not store the underlying personal data itself. The CLOUD Act exposure is over governance metadata, not over GDPR-protected personal data records directly. This is a meaningful distinction even if the governance metadata is operationally sensitive.

Score: 4/5.

Dimension 4: Personnel and Operational Dependencies — 3/5

Atlan's engineering function is heavily distributed with significant India presence. The company's engineering team is substantially based in Gurgaon, India (Atlan's India engineering hub). This geographic distribution reduces D4 below its maximum, as US government demands directed at Atlan Inc. would primarily compel production of data from US-based systems rather than from India-based engineering infrastructure.

US-based leadership (San Francisco): CEO Prukalpa Sankar maintains US operational presence. The GTM team is primarily US-based. Leadership decisions affecting EU customer data processing are made within US operational jurisdiction.

Score: 3/5. India engineering presence provides partial mitigation consistent with Alation's scoring.

Dimension 5: Technical Architecture — 4/5

Atlan is a fully cloud-native SaaS platform. Unlike Alation, which offers an on-premises deployment option (at the cost of losing ML features), Atlan does not offer an on-premises deployment path. Atlan's platform is designed exclusively for cloud deployment, hosted on AWS (primary) and GCP (secondary regions).

This architectural decision elevates Atlan's D5 score above Alation (which scored 3/5 for its on-prem option). Atlan customers cannot deploy the Active Metadata Platform in their own infrastructure to reduce CLOUD Act exposure. Every customer is by design a Atlan SaaS subscriber, with all behavioral metadata, collaboration content, and AI query logs stored in Atlan's cloud infrastructure.

Score: 4/5. Cloud-only architecture with no on-premises mitigation path.

Total CLOUD Act Exposure: 21/25

The Singapore PDPA — What It Covers and Why It Does Not Help

Singapore's Personal Data Protection Act (PDPA, 2012, significantly amended 2021) is a real and substantive privacy framework. The 2021 amendments increased penalties (up to SGD 1 million or 10% of Singapore annual turnover) and added mandatory breach notification requirements (3-day notification for significant breaches). Singapore was granted EU adequacy for data transfers under GDPR in October 2024 (partial adequacy covering Singapore entities certified under the Singapore-EU Data Protection Agreement framework).

None of this changes the CLOUD Act analysis for Atlan:

PDPA governs Atlan Pte. Ltd.'s handling of personal data in Singapore. It does not govern US government demands directed at Atlan Inc., Delaware. These are separate legal regimes operating on separate legal entities.

The EU-Singapore adequacy decision (partial) covers data flows from EU to Singapore entities that meet the agreed framework standards. It does not immunise US parent companies of Singapore entities from CLOUD Act demands. Adequacy decisions are EU instruments. They govern EU-to-third-country data transfers. They do not override US domestic law enforcement authority over US corporations.

Mutual Legal Assistance Treaties (MLATs) between the US and Singapore exist but do not prevent unilateral CLOUD Act action. The CLOUD Act explicitly allows US authorities to proceed without going through an MLAT framework when targeting US-incorporated entities — including the US parent companies of Singapore-incorporated subsidiaries.

The consequence: Atlan's Singapore Pte. Ltd. structure creates a genuine privacy framework for Singapore-origin data subject to Singapore PDPA enforcement. For EU customers whose data flows through Atlan Inc., Delaware, the Singapore structure does not intercept CLOUD Act jurisdiction. EU enterprises that contract with Atlan Pte. Ltd. may find that their DPAs are signed with a Singapore entity while their data is processed on infrastructure controlled by a US operating company under US regulatory authority.

This dual-structure pattern — Singapore entity for marketing, Delaware entity for operations — is increasingly common in enterprise software companies founded by non-US founders who raise US venture capital. The pattern consistently fails EU sovereignty tests for the same structural reason: US investors controlling a US operating company cannot be sovereignty-protected by a Singapore holding structure.

EU-Native Alternatives

The EU data governance ecosystem has matured significantly. European-incorporated data catalog and governance platforms exist with 0/25 CLOUD Act exposure scores:

DataGalaxy (Bordeaux, France — 0/25)
DataGalaxy SAS is incorporated in France. Primary investors include Bpifrance (French public investment bank) and French institutional funds. DataGalaxy provides data catalog, data lineage, data dictionary, and governance workflow capabilities. Its Active Metadata equivalents — user activity tracking, collaboration features — are entirely within French legal jurisdiction. CLOUD Act exposure: 0. No US investor board control, no US C-Corp structure, no US engineering concentration.

Castor (Amsterdam, Netherlands — 0/25)
Castor B.V. is incorporated in the Netherlands. The platform focuses on automated data discovery, lineage mapping, and data mesh governance patterns. Castor raised €6M from European investors including angel investors from the Amsterdam tech ecosystem. Netherlands data protection is governed by the Autoriteit Persoonsgegevens (AP) under GDPR. CLOUD Act exposure: 0.

OpenMetadata (Apache 2.0 — 0/25)
OpenMetadata is an open-source project hosted by the Linux Foundation under the Apache 2.0 license. The project was initiated by Collate Inc. (San Francisco) but the open-source platform itself is self-hostable with no vendor lock-in. EU enterprises can deploy OpenMetadata on EU-based infrastructure (OVHcloud, Hetzner, Deutsche Telekom CETIN) and operate a full Active Metadata equivalent — lineage, discovery, quality, collaboration — under their own data controller authority. CLOUD Act exposure when self-hosted: 0.

Ataccama s.r.o. (Prague, Czech Republic — 2/25)
Ataccama is incorporated in Prague, Czech Republic (EU Member State). Its primary investor is Ardian (Paris-based private equity), with Ataccama's operations primarily European. Ataccama Data Management Platform includes data catalog, data quality, and master data management. A US sales subsidiary exists, contributing a minor D1/D2 score increase, but governance authority remains EU-based. Score: 2/25.

What the Active Metadata Paradox Means for GDPR Compliance

For EU enterprises subject to GDPR, the interaction between Atlan's Active Metadata capabilities and GDPR compliance creates a specific paradox worth examining.

GDPR Article 30 requires controllers to maintain a Register of Processing Activities (RoPA). Many EU enterprises use Atlan (or Collibra, Alation) as their RoPA platform — cataloguing where personal data exists, what legal basis applies, what retention periods are in force, and who the data processors are. The GDPR-required RoPA is stored in a US-incorporated platform subject to CLOUD Act.

The paradox deepens with Active Metadata: Atlan's behavioral analytics on how your organisation uses its RoPA — which team accessed the special category data records, when the DPO updated the Article 9 entries, what AI queries were posed about your processing activities — creates a meta-layer over your GDPR compliance documentation that is itself CLOUD Act-exposed.

GDPR Article 5(2) accountability principle requires controllers to be able to demonstrate compliance. Demonstrating compliance requires documentation of your compliance governance process. That governance process — stored as Active Metadata in Atlan — is subject to CLOUD Act compelled disclosure.

This is not a theoretical risk. It is a structural consequence of using a US-incorporated Active Metadata platform as the infrastructure for GDPR compliance documentation.

Conclusion: The Dual Structure Does Not Create Dual Jurisdiction

Atlan's 21/25 CLOUD Act exposure score reflects a corporate structure that presents a Singapore incorporation to EU customers while operating through a US-incorporated entity controlled by US venture capital. The Active Metadata Platform's behavioral capture capabilities — query analytics, embedded conversations, AI interaction logs, observability integration — create a richer intelligence picture of EU enterprise data governance operations than any conventional data catalog.

For EU enterprises evaluating Atlan, the governance questions are structural:

1. Who controls the operating company? Insight Partners (New York) and Sequoia Capital (Menlo Park, California) — not Singapore entities, not EU investors.

2. Does the Singapore incorporation create CLOUD Act immunity? No. US District Court warrants directed at Atlan Inc., Delaware are not intercepted by Atlan Pte. Ltd., Singapore.

3. Does GIC's investment create sovereign protection? No. GIC is a Singapore state investment fund. Its minority equity position does not transform Atlan Inc. into a Singapore sovereign entity for CLOUD Act purposes.

4. Is there an on-premises deployment option? No. Atlan is cloud-only. There is no architectural path to reducing CLOUD Act exposure through infrastructure localisation.

EU enterprises subject to DORA Article 28 (ICT third-party risk), NIS2 Article 21 (appropriate security measures), or operating in regulated sectors (financial services, healthcare, critical infrastructure) should treat Atlan's dual structure as a governance risk requiring explicit Board-level sign-off — not a technical risk manageable through standard DPA execution.

DataGalaxy, Castor, and OpenMetadata — all at 0/25 — provide Active Metadata capabilities under EU legal jurisdiction. The active metadata gap between US-hosted and EU-native platforms has narrowed substantially in 2024-2026. The sovereignty gap has not.

In the next post in this series, we examine BigID — the AI-native data intelligence platform that has positioned itself as the privacy-first alternative to traditional data catalogs. BigID's privacy-centric marketing meets its Delaware C-Corp corporate structure.

EU-native data governance platforms available without CLOUD Act exposure: DataGalaxy (France), Castor (Netherlands), OpenMetadata (self-hostable, Apache 2.0), Ataccama (Czech Republic).