Cloud Act Alternative: EU-Sovereign Cloud Hosting
A datacenter in Frankfurt or Paris does not put your data beyond the reach of US law. What decides that is who operates the service. Bunker is operated by a European entity with no US parent, subsidiary or presence, hosted in France under EU law, so it sits outside the scope of US production orders under the Cloud Act.
The US Cloud Act, passed in 2018, lets US authorities order any provider under US jurisdiction to produce the data it holds, regardless of where the servers physically sit. An AWS region in Frankfurt, an Azure region in Amsterdam, a Google Cloud zone in Paris: all three are operated by US companies, so all three fall under that order. FISA Section 702 adds electronic surveillance of non-US targets, and Schrems II (CJEU, 2020) struck down the Privacy Shield precisely over this conflict.
If you handle health records, financial data or public-sector files in Germany, Austria, the Netherlands or Switzerland, the question your DPO and legal team keep coming back to is simple: can a foreign authority compel access to this data? With a US-operated cloud, the honest answer is yes. Bunker changes that answer.
Why Bunker sits outside US jurisdiction
European operator, no US ties
Bunker is run by a European entity with no US parent company, subsidiary, branch or staff. There is no legal person for US authorities to serve a Cloud Act production order on. Jurisdiction follows the operator, not the flag on the building.
Hosted in France under EU law
Servers, storage and backups stay on French soil, governed by GDPR and French law. No transatlantic transfer sits in the data path, which removes the Schrems II problem at the root instead of papering over it with Standard Contractual Clauses.
Open-source and auditable
The stack is open source end to end: Kubernetes, PostgreSQL, Ceph S3 storage, private LLMs. Your security team can read the code, inspect the deployment and verify what actually runs. No black box, no proprietary control plane you have to take on trust.
Flat pricing, no egress fees
Pricing is flat and published. Pulling your data back out costs nothing, because there are no egress fees. That keeps exit cheap and reversibility real, instead of a clause you can never afford to use.
Bunker compared to the US hyperscalers
| Criterion | Bunker | AWS | Azure | Google Cloud |
|---|---|---|---|---|
| Operator jurisdiction | EU only (France) | United States | United States | United States |
| Subject to US Cloud Act | No | Yes | Yes | Yes |
| FISA 702 exposure | None | Yes | Yes | Yes |
| Data location guarantee | France, by operator | Region setting only | Region setting only | Region setting only |
| Open-source and auditable | Yes, full stack | No | No | No |
| GDPR Art. 28 DPA | Standard, no US transfer | With SCCs | With SCCs | With SCCs |
| Reversibility | No egress fees, self-hostable | Egress fees apply | Egress fees apply | Egress fees apply |
Why an EU region at a US provider does not protect you
This is the point most procurement checklists get wrong. Choosing eu-central-1 on AWS, or a Frankfurt region on Azure, controls where the bytes are stored. It does nothing about who can be ordered to produce them. AWS, Microsoft and Google are US companies, so a US court can issue a Cloud Act order against the parent, and the parent has the legal obligation to comply with data its European subsidiary holds. The datacenter being in the EU is irrelevant to that order. Microsoft has acknowledged in public hearings that it cannot guarantee EU data will never leave the EU under such a request. The physical address is a comfort, not a legal shield.
What actually moves the line is the jurisdiction of the operator. Bunker is operated by a European entity with no US parent, subsidiary or presence, so there is no US-reachable company that can be compelled to hand over your data. A foreign authority would have to go through European mutual legal assistance channels, before a European judge, under EU law. That is a different legal regime, not a contractual promise bolted onto a US service. Combined with hosting in France and an open-source stack you can audit, it gives your DPO and RSSI something they can document for a regulator rather than hope holds up under Schrems II scrutiny.
Next steps
How Bunker delivers managed infrastructure under EU jurisdiction, with a DPA aligned to Article 28.
Cloud repatriation: exit AWS, Azure or GCPThe migration path off a US hyperscaler, from audit to cutover, without egress fees to leave.
Self-hostable open-source alternative to AWSThe full open-source stack you can run as a managed cloud or install on your own servers.
Frequently asked questions
Does hosting in an EU AWS region protect me from the Cloud Act?
No. Selecting an EU region controls where your data is stored, not who can be ordered to produce it. AWS is a US company, so a US court can issue a Cloud Act order against it for data its European entity holds, wherever that data physically sits. The same applies to Azure and Google Cloud. To be outside that reach, the operator itself has to be outside US jurisdiction, which is the case for Bunker.
What makes Bunker outside the reach of US extraterritorial law?
Bunker is operated by a European entity with no US parent company, subsidiary, branch or presence, and it is hosted in France under EU law. There is no US-reachable legal person for authorities to serve a Cloud Act or FISA 702 order on. A request would have to go through European mutual legal assistance, before a European judge. We state this as a matter of legal structure, not as a claim of absolute immunity.
How does this relate to Schrems II and GDPR compliance?
Schrems II struck down the Privacy Shield in 2020 because US surveillance law, including FISA 702, conflicts with the protection GDPR requires. With a US-operated cloud, you carry that conflict and try to manage it with Standard Contractual Clauses and transfer impact assessments. With Bunker, your data stays under EU law with no transatlantic transfer in the path, so the conflict does not arise. A DPA aligned to Article 28 of the GDPR is available.
Can I run Bunker on my own servers instead of the managed offer?
Yes. The stack is open source: Kubernetes, PostgreSQL, Ceph S3 storage and private LLMs. You can take the managed service or install the same stack on hardware you control, including on-premise in your own datacenter. Because the components are open source and there are no egress fees, moving between managed and self-hosted, or out entirely, stays a practical option rather than a theoretical one.
Move your data out of US jurisdiction
Talk to our team about a sovereign cloud operated in France, with a GDPR Article 28 DPA and no transatlantic transfer.