EU Cloud Sovereignty
Railway, Render, and Fly.io are US companies. The US CLOUD Act means American authorities can demand your customer data — without a European court order, without notifying you. sota.io is different.
The Problem with US Cloud Providers
The US CLOUD Act (2018)
The Clarifying Lawful Overseas Use of Data Act requires US companies — including their non-US subsidiaries and EU data centers — to hand over customer data to US federal agencies upon request. No EU court approval required. No notification to the data subject required. This applies to AWS, GCP, Azure, Railway, Render, Fly.io, Vercel, and every other US-owned cloud service.
The EU Cloud Sovereignty Framework (European Commission, October 2025) and the EU Data Act (2025) explicitly recognize this risk. European enterprise procurement teams, financial regulators (BaFin, FINMA, AMF), and healthcare compliance officers now treat US-cloud exposure as a material risk — not a theoretical one.
Platform Comparison
| Provider | Jurisdiction | CLOUD Act | GDPR DPA |
|---|---|---|---|
| sota.io | 🇩🇪 Germany (EU) | Not applicable | All plans |
| Railway | 🇺🇸 USA | Applies | Enterprise only |
| Render | 🇺🇸 USA | Applies | All plans (but US-owned) |
| Fly.io | 🇺🇸 USA | Applies | Available |
| Vercel | 🇺🇸 USA | Applies | Enterprise only |
How sota.io Protects Your Data
German company, German law
sota.io is operated by mamarx GmbH, registered in Germany. We are subject to German and EU law — not US federal jurisdiction. No US agency can compel us to disclose your data under the CLOUD Act.
EU-only data storage
All customer data — deployments, databases, logs, environment variables — is stored exclusively in Frankfurt, Germany (eu-central-1). Data never transits through US infrastructure.
GDPR DPA on every plan
Our Data Processing Agreement (DPA) is available to all customers, including the free tier. No enterprise contract required. We process data exclusively as your data processor under GDPR Article 28.
No US sub-processors for critical data
We carefully vet sub-processors. Your application data and database content are not processed by US-owned services. We use EU-hosted infrastructure throughout the stack.
Transparent compliance documentation
We publish our full sub-processor list, DPA, privacy policy, and legal basis for all processing. If you receive a data subject access request, we can help you respond within 72 hours.
Who Needs EU Cloud Sovereignty
Financial Services
BaFin, FINMA, AMF regulatory requirements. MiFID II data residency obligations.
Healthcare & MedTech
§22 BDSG, MDR Article 10. Patient data cannot leave EU jurisdiction.
Legal & Compliance
Attorney-client privilege. Legal hold data cannot be accessed by foreign authorities.
Government & Public Sector
NIS2 Directive. Public procurement increasingly requires EU-sovereign providers.
SaaS serving EU enterprises
Enterprise customers ask: where does our data go? The answer matters for procurement.
Any GDPR-regulated business
CLOUD Act exposure creates legitimate transfer mechanism questions under Schrems II.
Deploy with full EU sovereignty
German company. Frankfurt data center. GDPR DPA on all plans. Your data stays in Europe — by law, not just policy.
This page is for informational purposes. For legal advice specific to your compliance requirements, consult qualified legal counsel. Information accurate as of March 2026. EU Cloud Sovereignty Framework refers to the European Commission framework published October 2025.