CLOUD Act Exposure Score
Methodology v1.0
A 0–100 score measuring how exposed a SaaS vendor's customer data is to compelled disclosure by US law enforcement under the CLOUD Act (18 USC §2713). Lower is better. 0 = fully EU-sovereign. 100 = full US exposure.
This is a frozen public standard. Inputs and weights will not change without issuing v2.0 with a migration notice. It is intended to function like the EU AI Act articles themselves — a stable reference point EU procurement officers can cite.
The Formula
The CLOUD Act Exposure Score is computed from five weighted inputs, each scored 0–100 within its dimension, then aggregated into a single composite score (0–100). A score of 0 represents zero theoretical CLOUD Act exposure based on available public information. A score of 100 represents maximum exposure.
Scoring Inputs
| Factor | Weight | What is measured | Sovereign (low score) | Exposed (high score) |
|---|---|---|---|---|
| Legal entity HQ | 40 pts | Where the operating legal entity (not just a sales office) is incorporated and headquartered. Verified via: Companies House (UK), Handelsregister (DE), Infogreffe (FR), CJUE (EU), or national business registries. Cross-referenced with annual reports. | EU/EEA-incorporated entity with no US parent | Incorporated in the US, or EU entity 100%-owned by a US parent |
| Data residency | 25 pts | Where customer data is physically stored and processed at rest and in transit. Verified via: Vendor's publicly stated DPA/Privacy Policy, Subprocessor list, and Trust Center. Spot-checked against IP geolocation of infrastructure. | EU-only residency with contractual prohibition on transfers | US-hosted or no contractual guarantee |
| Cloud provider ownership | 20 pts | Whether the underlying cloud infrastructure is owned and operated by a US-headquartered company. Verified via: Published Subprocessor list or infrastructure disclosure. For IaaS: whois + ASN ownership of IP ranges. | EU-sovereign cloud: Hetzner, Scaleway, OVHcloud, Infomaniak, Exoscale, IONOS (EU entity) | AWS, Azure, GCP, Oracle Cloud, or any US-parent IaaS/PaaS |
| US subsidiary / affiliate | 10 pts | Whether the vendor maintains a US-registered subsidiary that could receive a CLOUD Act order on behalf of the parent. Verified via: SEC EDGAR, state business registries (Delaware, California), LinkedIn headcount in US, company filings. | No US-registered entity, no US employees | Active US subsidiary, US-based R&D or support teams with system access |
| Contractual protections | 5 pts | Whether the vendor's DPA includes Schrems II-compliant supplementary measures and a commitment to notify customers of government requests. Verified via: Publicly available DPA/MSA template, SCCs addendum, legal opinion link if provided. | Proactive notification clause, challenge-government commitment, SCCs + TIA on file | No supplementary measures, no notification commitment |
Tier Definitions
EU-headquartered entity, EU-only data residency, EU-owned cloud provider (Hetzner, Scaleway, OVHcloud, Infomaniak, or Exoscale), no US subsidiary. Minimal theoretical CLOUD Act exposure.
Typical examples: Hetzner Cloud, Scaleway, OVHcloud, Infomaniak, Exoscale, Nextcloud GmbH
EU entity but uses some US cloud services with EU regions (e.g. AWS Frankfurt), or US-headquartered with EU data residency contractual guarantees. Moderate theoretical CLOUD Act exposure — data physically in the EU but infrastructure operator is US-domiciled.
Typical examples: Companies using AWS EU-West-1 or Azure West Europe with strong DPAs
US-headquartered company operating EU data residency options, subject to CLOUD Act via parent company. US authorities could compel US parent to produce EU-resident data. EU data residency reduces practical exposure but does not eliminate legal exposure.
Typical examples: Salesforce (US HQ + EU data residency), HubSpot, Notion, Slack
US company, US-hosted data, full CLOUD Act exposure. No EU data residency options, no meaningful contractual protections. US law enforcement can compel data production with no notice to the data subject.
Typical examples: SaaS with US-only infrastructure, no EU data residency option
Verification Sources
All inputs are verified against publicly available sources. EuroComply does not accept self-attestation without a corroborating public source. The following sources are used:
- Companies House (UK) · Handelsregister (DE) · Infogreffe (FR) · KVK (NL) · Firmen-ABC (AT) · National business registries for all 27 EU member states
- SEC EDGAR — for US public companies and their subsidiaries
- State business registries (Delaware Secretary of State, California SOS) — for US private companies
- ARIN / RIPE NCC / APNIC ASN records — for cloud infrastructure ownership verification
- Vendor-published Trust Centers, Subprocessor lists, and Data Processing Agreements
- EDPB published opinions, ECJ rulings (including Schrems II C-311/18), and national DPA guidance
- Annual reports and 10-K filings for corporate structure and subsidiary disclosure
Legal Basis and Scope
The CLOUD Act (Pub. L. 115-141, enacted March 23, 2018) amended the Stored Communications Act (18 USC §2701 et seq.) to explicitly require US providers to produce stored data held outside the US when compelled by a lawful US government order. Section 2713 is the operative provision:
“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”
The European Data Protection Board (EDPB) Recommendations 01/2020 on supplementary measures post-Schrems II explicitly addressed CLOUD Act exposure. The EDPB concluded that for US-owned processors, contractual measures alone are insufficient to ensure equivalent protection to EU law, because a US court order under the CLOUD Act overrides contract terms.
This score assesses theoretical exposure based on publicly verifiable corporate and infrastructure facts. It does not predict whether any specific government order will be issued or enforced.
Frequently Asked Questions
Why 18 USC §2713?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, Pub. L. 115-141) was enacted in March 2018. Section 2713 requires US providers to produce data 'regardless of whether such communication, record, or other information is located within or outside of the United States.' This is the operative provision. It applies to US-headquartered companies and their subsidiaries worldwide.
Does EU data residency protect against the CLOUD Act?
Physical EU data residency does not eliminate CLOUD Act exposure for US-owned companies. A US company storing data in a Frankfurt data center can still receive a CLOUD Act order compelling production of that data. EU data residency reduces the practical likelihood of a request but does not provide legal immunity. The Schrems II judgment (C-311/18) and subsequent EDPB recommendations confirm this position.
Does the Data Privacy Framework (DPF) resolve this?
No. The EU-US Data Privacy Framework (July 2023) creates a redress mechanism for EU individuals whose data is accessed by US intelligence agencies, but it does not limit CLOUD Act law enforcement orders. The DPF does not restrict US criminal or civil law enforcement subpoenas or orders issued under 18 USC §2703 or §2713. EU DPAs, including the EDPB, have noted this limitation.
How do you verify cloud providers?
We cross-reference the vendor's publicly disclosed Subprocessor list or Trust Center with ASN ownership records (whois), IP geolocation, and, where applicable, AWS/Azure/GCP customer announcements. For EU-sovereign cloud providers, we verify incorporation records and confirm no US parent exists.
How often are scores updated?
Scores are reviewed when a vendor's infrastructure or corporate structure changes materially. Vendors can request a re-review by contacting EuroComply. The v1.0 methodology is frozen — inputs and weights will not change without issuing v2.0 with a migration notice.
Can a score change over time?
Yes. A vendor that migrates from AWS to OVHcloud, or that dissolves its US subsidiary, will receive an updated score upon re-review. The score page shows the review date. Historically published scores are archived.
Version History
| Version | Published | Changes |
|---|---|---|
| v1.0 | 2026-05-11 | Initial release. Five-factor model, 0–100 scale, four tiers. |
Methodology versions are frozen. A new version number will be issued for any change to factors, weights, or tier boundaries, and existing scores will be migrated with a changelog.