Data sovereignty
The US CLOUD Act — and how we keep your email outside it
The US CLOUD Act lets US authorities compel American companies to hand over data they control — even when that data sits in the UK or EU. Because the obligation follows the company's nationality, not the data's location, a US provider's "London region" does not put your data beyond US reach. Sovereign Mail is UK-owned and UK-hosted with no US parent, so it falls outside the Act's scope.
What is the US CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act (2018) allows US law enforcement, with appropriate legal process, to require US-based service providers to disclose data in their "possession, custody, or control" — regardless of where in the world that data is stored.
Why it matters for UK organisations
- Data residency is not data sovereignty. Storing data in a UK data centre does not exempt it if the operating company, or its parent, is subject to US jurisdiction.
- It can conflict with UK GDPR. A compelled US disclosure may sit at odds with your obligations under the Data Protection Act 2018 and UK GDPR.
- The hyperscaler "UK region" trap. AWS, Azure and Google's London regions are operated by US-parented companies, so legal analysis holds they remain within the CLOUD Act's reach.
- It hits regulated sectors hardest — NHS and government, legal, financial services, and anyone with confidentiality or sovereignty requirements.
How Sovereign Mail solves it
- UK-incorporated and UK-owned, with no US parent company.
- UK-hosted infrastructure — all processing and storage stays in the UK.
- No US sub-processors in the sending path.
- The result: not "a US company with a UK region," but a UK company under UK law — outside the CLOUD Act's extraterritorial reach.
We back this with UK GDPR processor terms and are working toward ISO 27001, Cyber Essentials Plus and the NHS Data Security and Protection Toolkit.
UK vs US — what each government can and can't do
Sovereignty is not a promise that no government can ever access data — no provider can honestly claim that. It is about which laws and courts apply. With a UK-owned, UK-hosted provider your data sits under a single, familiar legal regime instead of also being reachable by a foreign one.
| UK authorities | US authorities (CLOUD Act) | |
|---|---|---|
| Applies to | UK providers under UK law | US-owned providers — wherever data is stored, including the UK |
| Legal process | Court orders; interception needs the "double-lock" — a Secretary of State and an independent Judicial Commissioner | US court orders and warrants under US law |
| Oversight | Investigatory Powers Commissioner (IPCO); redress via the Investigatory Powers Tribunal | US courts; little to no UK visibility |
| Are you told? | Subject to UK due process, with greater scope for transparency | Often gagged by a non-disclosure order — you may never know |
| UK GDPR | Operates within UK data-protection law | A compelled disclosure can conflict with your UK GDPR duties |
| Your recourse | UK courts and tribunals, backed by the Human Rights Act | A foreign jurisdiction — little practical recourse for a UK organisation |
In short: a UK provider keeps you in one jurisdiction — UK law, with its warrants, oversight and courts. A US-owned provider adds a second, foreign one on top, with no UK oversight.
Frequently asked questions
Does the US CLOUD Act apply to data stored in the UK?
Yes. The CLOUD Act reaches data under the control of a US company or its subsidiaries wherever in the world it is stored, so UK or EU data residency alone does not put it beyond US reach if the provider is US-owned.
Does using AWS, Azure or Google's UK (London) region protect my data from the CLOUD Act?
Not on its own. Those regions are operated by US-headquartered companies, so data held there can still fall within US jurisdiction under the CLOUD Act, regardless of its physical location.
How is Sovereign Mail different?
Sovereign Mail is a UK-incorporated, UK-owned company with no US parent, running on UK-hosted infrastructure. With no US corporate nexus, it falls outside the CLOUD Act's reach and your email data stays under UK law only.
Doesn't the UK have its own surveillance laws?
Yes. UK authorities can compel disclosure under the Investigatory Powers Act 2016 and court orders. The difference is jurisdiction: with a UK provider your data sits under one legal regime — UK law, UK courts, the double-lock warrant process and independent oversight — rather than also being exposed to a foreign government with no UK oversight. No provider can place data beyond all lawful access; sovereignty is about which laws and courts apply.
Is this legal advice?
No. This is a plain-English summary for context. Organisations with specific regulatory or contractual obligations should take their own legal advice.
Keep your transactional email in the UK
UK-owned, UK-hosted, outside US CLOUD Act reach.
Create an accountThis page is a plain-English summary and is not legal advice.