The word appears in almost every RFP, often in bold, rarely defined. Sovereign solution, sovereign hosting, sovereign data. By dint of showing up everywhere, the term has ended up promising nothing precise, and the DPO reading these mentions knows they sometimes cover a simple checked box: a datacenter located in France. The practical companion to this article, the comparison of where your interview data goes, already shows how little location alone tells you. Here we take the subject from the other end, the legal architecture: what sovereignty means once you go beneath the marketing layer, for a recruitment agency, an IT services firm, or an accounting firm that entrusts a vendor with the voice and career path of its candidates.
The sovereignty of a piece of data is not measured by where it sleeps. It is measured by another question: which law can claim it, and from whom. It is a matter of jurisdiction, not geography, and that is where the two bodies of rules governing the subject, one American, one European, collide.
Two laws that contradict each other
On the American side, the CLOUD Act of 2018 sets out a simple, broad rule. A communications or storage service provider subject to United States jurisdiction must, on legal order, hand over to US authorities the data of a customer it holds, whether that data is located inside or outside the country. Server location protects nothing: it is jurisdiction over the provider that triggers the obligation. And that jurisdiction reaches further than people think. According to the report by the Swiss Federal Office of Justice on the subject, a company holding a holding company, a subsidiary, or a branch in the United States can be affected, even if the infrastructure hosting the data is elsewhere.
On the European side, chapter V of the GDPR organizes the opposite. Its article 44 provides that any transfer of data outside the Union is subject to the conditions of the chapter, and that the level of protection guaranteed by the regulation must never be undermined, including for onward transfers. Further on, article 48 provides that a decision by a court or authority of a third country requiring a transfer is recognized only if it rests on an international agreement in force. This is, in practice, the European text's anti-CLOUD Act article: an American order does not constitute, under European law, a valid order to disclose.
Two laws, two opposing answers to the same question, and a company whose provider falls under both legal orders finds itself caught between the two. This is the underlying tension that the word sovereignty seeks to resolve, and that the mention hosted in France leaves untouched.
Schrems II, when location is no longer enough
This tension is not theoretical: the Court of Justice of the European Union resolved it once, and its reasoning sheds light on everything else. In the Schrems II ruling of 16 July 2020 (case C-311/18), the Court invalidated the Privacy Shield, the agreement that presumed the United States offered adequate protection, while holding the Commission's standard contractual clauses valid.
The grounds matter more than the decision. The CNIL sums it up as follows: the Court held that the collection of data by American intelligence services was not proportionate, and that the remedies available to data subjects were insufficient in light of the Charter of Fundamental Rights. In other words, the agreement did not fall on the technical quality of the servers. It fell on the country's law and its surveillance regime. The same logic governs the adequacy decision provided for in article 45: it is assessed by reference to public authorities' access to data and the existence of effective remedies, never by location alone.
The practical consequence of Schrems II is heavy and often forgotten. Continuing to rely on standard contractual clauses toward the United States is lawful only if the exporter assesses the actual level of protection and adds supplementary measures, encryption for example, to prevent any access by American authorities. The CNIL formalizes this step under the name transfer impact assessment, in a guide published in early 2025: before any transfer based on an article 46 tool, the exporter must document the risk of access by the authorities of the third country. Location in Europe therefore exempts you from nothing as long as the provider itself remains elsewhere.
SecNumCloud and EU Data Boundary, two markers not to be confused
Faced with this exposure, two notions keep coming up in RFPs, and it is worth distinguishing them, because one is a sovereignty framework and the other a hyperscaler arrangement.
The ANSSI's SecNumCloud qualification aims in particular, according to its official FAQ, to enable a cloud service to withstand an order arising from an extraterritorial law affecting the availability, confidentiality, and integrity of the service. Its protection rests not on promises but on verifiable criteria, including a registered office established in a Member State of the Union and a capitalization where non-Union entities remain a minority. It is a demanding grid that a DPO can choose to require of its providers, not a legal minimum imposed on every vendor.
A discerning DPO nonetheless reads SecNumCloud with the nuance that ANSSI itself adds. Its director general, Vincent Strubel, recalled in January 2026 that the qualification does not exempt a service from the application of the law, and that it is not enough for data to be hosted in France: its processing must be too, its administrators must be, its software must be, and its decisions must be. This sentence is the best safeguard on the subject. Sovereignty is not obtained like a label. It is a chain in which every link, hosting, processing, administration, decision, must hold under the same law.
At the other end of the spectrum, Microsoft's EU Data Boundary illustrates what a location arrangement guarantees and does not guarantee. Completed in early 2024, this arrangement allows all personal data from Microsoft's core services to be stored and processed within the Union. It is a real residency advance. But the same announcement specifies that transfers outside the Union remain possible for cybersecurity functions, documented and limited. A company under American law that files its data in Europe remains a company under American law: it arranges location, it does not change its jurisdiction. This is the whole distinction that Schrems II had brought to light, applied to a concrete case.
The sub-processor contract, the DPO's real lever
Between the principle and its verification lies a document that too many RFPs relegate to an appendix: the sub-processing contract of article 28 of the GDPR. It is not optional. The relationship between the controller, the agency or IT services firm that recruits, and its processor, the vendor of the tool, must be governed by a contract containing mandatory provisions. To help the parties, the Commission published standard contractual clauses between controller and processor on 4 June 2021.
It is within this framework, and not in a product demo, that the questions that matter arise: the named list of downstream sub-processors, their location, the ability to object to the addition of a new sub-processor, the guarantees in case of transfer outside the Union. A vendor that takes sovereignty seriously publishes these elements rather than reserving them for final negotiations. This is the spirit in which Hirify maintains its security page, which lists its sub-processors, so that the DPO can examine the file before signing rather than after.
Candidate data, a material of its own
Everything above would apply to any personal data. Recruitment adds a difficulty of its own: candidate data is not homogeneous. A CV, a career path, contact details are ordinary personal data. But an interview is a living exchange, and it brings up without warning subjects that fall under the special categories of article 9. The CNIL lists them: alleged racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation. A candidate who explains a gap in their career by an illness, a career change motivated by convictions, a family constraint linked to their orientation, pours into the interview data whose processing is in principle prohibited, save for exceptions such as explicit consent.
For an agency, the difficulty is compounded by a commercial value: a candidate's CV and evaluation are an asset reused from one role to the next, as our page dedicated to recruitment agencies explains. This asset is also a processing responsibility. Entrusting it to a tool that ships it to a language model outside the Union, without traceability or a clear legal basis, amounts to circulating potentially sensitive data through a chain you no longer control.
Today, CVs are anonymized before being sent to ChatGPT, and the DPO is tearing their hair out.
This manual anonymization is the symptom of tooling that was not designed for candidate data. It costs time, it is fallible, and it betrays a processing chain that is endured rather than chosen. The answer lies less in a workaround than in an architecture where the data does not have to leave to be useful, and where every analysis remains explainable. Hirify produces no percentage scoring of candidates: analyses stay traceable, the human decides, and client data is not used to train any model. This requirement of explainability is the very ground of the AI Act, a subject covered in our guide on the AI Act and recruitment.
The questionnaire to put in writing
The practical comparison offers a method for reading a security page in five minutes. What follows sits upstream, on the contract and RFP side: the questions to put in writing to an HR vendor, within the framework of article 28, before any commitment.
- What is the jurisdiction of the cloud provider's parent company? A company under European law closes off CLOUD Act exposure at the infrastructure level; a European region on an American provider does not.
- Where is the AI processing physically performed, and by which sub-processor? The list must be named, with the role and location of each.
- Does any data leave the Union, on what basis, and has a transfer impact assessment been carried out where applicable?
- Does the contract incorporate the mandatory clauses of article 28, with a right to object to the addition of a new sub-processor?
- Is client data used to train a model, and are the analyses produced explainable without percentage scoring?
An evasive answer to any of these questions is not proof of bad faith, but it deprives the DPO of the ability to map the chain. And a chain you cannot map cannot be declared sovereign, whatever the flag displayed on the homepage.
Frequently asked questions
Does hosting in France suffice to make data sovereign?
No. The datacenter's location says where the data sleeps, not which law can claim it. What determines exposure to the Cloud Act is the jurisdiction of the cloud provider: a company under American law can be compelled to hand over data it holds, wherever it is stored, including in France. Sovereignty therefore hinges on the provider's jurisdiction and on where the processing is actually carried out, not just on the server's flag.
Does the Cloud Act reach data stored in Europe?
Yes, as soon as the provider falls under American law. The 2018 text requires a provider subject to United States jurisdiction to hand over, on legal order, the data it holds, whether that data is located inside or outside the country. A company with a parent company, a subsidiary, or a branch in the United States can be affected, regardless of the hosting region announced.
Is SecNumCloud mandatory for a recruitment tool?
No, no rule imposes the SecNumCloud qualification on an HR vendor. It is a demanding ANSSI framework that a DPO can choose to require, not a legal minimum. It aims in particular to withstand an order based on an extraterritorial law, through criteria such as a registered office in the Union and a majority-European capitalization. ANSSI itself recalls that the qualification does not exempt a service from the application of the law: hosting in France is not enough if the processing, the administration, and the decisions are not too.
Is candidate data sensitive data?
Sometimes, and that is the difficulty specific to recruitment. Most of a candidate's information is ordinary personal data, but an interview brings up without warning origin, health, beliefs, or sexual orientation, which fall under the special categories of article 9 of the GDPR. Their processing is in principle prohibited save for exceptions, including explicit consent. A tool that captures and structures the material of an interview must therefore be designed for this risk, not just for general compliance.
Key takeaways
- The sovereignty of data depends on the provider's jurisdiction, not the server's location: data in France on an American provider remains exposed to the CLOUD Act.
- Schrems II invalidated the Privacy Shield for reasons of surveillance and remedies, not technology: since then, any transfer outside the Union requires an assessment and supplementary measures.
- SecNumCloud is a sovereignty framework a DPO can require, with criteria on registered office and capital; ANSSI recalls that hosting in France is not enough if the processing and decisions are not too.
- The article 28 sub-processing contract is the concrete lever: named list of sub-processors, location of processing, framed transfers.
- Candidate data can fall under the special categories of article 9; Hirify relies on Scalingo in France, with no candidate data outside the European Union, no percentage scoring, and publishes its sub-processors.