Storing data in an EU data centre answers one question. It doesn't answer who holds operational access to that data at runtime, under which jurisdiction your provider's parent entity sits, or whether you can produce continuous jurisdictional evidence at audit time.
Data residency — where data is physically stored — is a necessary condition for compliance with frameworks like GDPR, NIS2, and DORA. It is not sufficient. The question regulators increasingly ask isn't "where is the data?" but "who can access it, under what legal authority, without your knowledge?"
A US-headquartered cloud provider with EU data centres remains subject to US law, including the CLOUD Act. That law allows US authorities to compel production of data held by covered entities — regardless of where data physically sits, and without notifying the data controller or data subject.
Residency compliance and jurisdictional control are different properties. Most organisations have the first. Many lack the second.
"Sovereign cloud operations requires four things working together: control over your data, control over the systems that manage it, compliance with applicable law, and resilience. How many of those four can you evidence continuously — not just at audit time?"
— Sovereignty posture question, Sovereign by Design frameworkEven if a cloud provider's EU subsidiary is the contracting party, data can be accessible to a US parent entity. GDPR doesn't fully resolve this — Chapter V restrictions apply to transfers, but operational access via a corporate chain is a separate legal question that data protection authorities are examining with increasing precision.
Physical residency, legal jurisdiction of the provider's operating entity, and the jurisdiction of the parent corporate chain are three separate questions. You need clean answers to all three.
Your provider's support engineers, their parent entity, and third-party tooling may all hold operational access paths. Mapping and controlling those access paths is a governance task, not a residency task.
Regulators are moving toward continuous compliance requirements. A point-in-time audit report does not demonstrate that governance held between audits. Continuous evidencing is the operational requirement.
emma sits in the control plane — not the data path. emma does not own, store, or transit your data. What emma provides is governance over where workloads run, what access policies apply, and continuous operational evidence of those controls.
Because emma is headquartered in Luxembourg, with no non-EU corporate parent and no CLOUD Act exposure, the governance layer itself is clean — no third-party access risk introduced by the operations platform.
The result: you can operate workloads across EU-sovereign providers, hyperscalers, and private cloud while maintaining a single, auditable governance record that covers all environments.
Set data classification, residency requirements, and access control policies centrally. Policies apply automatically across all governed environments — no per-provider configuration.
Workload placement respects residency rules and access policy constraints. Regulated data doesn't move outside defined jurisdictional boundaries unless explicitly permitted.
A unified audit trail across all providers gives you continuous evidence of policy compliance — not snapshots. Governance holds between audits, not just during them.
30-minute session with an emma Solutions Architect. We'll walk through your specific gaps and show how emma's governance model addresses them.