Data sovereignty

The US CLOUD Act — and how we keep your email outside it

The US CLOUD Act lets US authorities compel American companies to hand over data they control — even when that data sits in the UK or EU. Because the obligation follows the company's nationality, not the data's location, a US provider's "London region" does not put your data beyond US reach. Sovereign Mail is UK-owned and UK-hosted with no US parent, so it falls outside the Act's scope.

What is the US CLOUD Act?

The Clarifying Lawful Overseas Use of Data Act (2018) allows US law enforcement, with appropriate legal process, to require US-based service providers to disclose data in their "possession, custody, or control" — regardless of where in the world that data is stored.

Why it matters for UK organisations

How Sovereign Mail solves it

We back this with UK GDPR processor terms and are working toward ISO 27001, Cyber Essentials Plus and the NHS Data Security and Protection Toolkit.

UK vs US — what each government can and can't do

Sovereignty is not a promise that no government can ever access data — no provider can honestly claim that. It is about which laws and courts apply. With a UK-owned, UK-hosted provider your data sits under a single, familiar legal regime instead of also being reachable by a foreign one.

UK authorities US authorities (CLOUD Act)
Applies toUK providers under UK lawUS-owned providers — wherever data is stored, including the UK
Legal processCourt orders; interception needs the "double-lock" — a Secretary of State and an independent Judicial CommissionerUS court orders and warrants under US law
OversightInvestigatory Powers Commissioner (IPCO); redress via the Investigatory Powers TribunalUS courts; little to no UK visibility
Are you told?Subject to UK due process, with greater scope for transparencyOften gagged by a non-disclosure order — you may never know
UK GDPROperates within UK data-protection lawA compelled disclosure can conflict with your UK GDPR duties
Your recourseUK courts and tribunals, backed by the Human Rights ActA foreign jurisdiction — little practical recourse for a UK organisation

In short: a UK provider keeps you in one jurisdiction — UK law, with its warrants, oversight and courts. A US-owned provider adds a second, foreign one on top, with no UK oversight.

Frequently asked questions

Does the US CLOUD Act apply to data stored in the UK?

Yes. The CLOUD Act reaches data under the control of a US company or its subsidiaries wherever in the world it is stored, so UK or EU data residency alone does not put it beyond US reach if the provider is US-owned.

Does using AWS, Azure or Google's UK (London) region protect my data from the CLOUD Act?

Not on its own. Those regions are operated by US-headquartered companies, so data held there can still fall within US jurisdiction under the CLOUD Act, regardless of its physical location.

How is Sovereign Mail different?

Sovereign Mail is a UK-incorporated, UK-owned company with no US parent, running on UK-hosted infrastructure. With no US corporate nexus, it falls outside the CLOUD Act's reach and your email data stays under UK law only.

Doesn't the UK have its own surveillance laws?

Yes. UK authorities can compel disclosure under the Investigatory Powers Act 2016 and court orders. The difference is jurisdiction: with a UK provider your data sits under one legal regime — UK law, UK courts, the double-lock warrant process and independent oversight — rather than also being exposed to a foreign government with no UK oversight. No provider can place data beyond all lawful access; sovereignty is about which laws and courts apply.

Is this legal advice?

No. This is a plain-English summary for context. Organisations with specific regulatory or contractual obligations should take their own legal advice.

Keep your transactional email in the UK

UK-owned, UK-hosted, outside US CLOUD Act reach.

Create an account

This page is a plain-English summary and is not legal advice.