EuroComply
Sign up

Is OneTrust CLOUD Act exposed?

Yes. As a US-headquartered provider, OneTrust (72/100, US-Dominant tier) is subject to the US CLOUD Act via its parent company — even where EU data residency is offered. Legal entity: OneTrust LLC (Atlanta, Georgia, USA). Data residency: EU hosting options offered; US-incorporated parent. Scores are independently assessed by EuroComply.

  • Score: 72/100 (US-Dominant tier, range 51–80)
  • US-headquartered company. Subject to CLOUD Act via parent company even with EU data residency.
  • Legal entity: OneTrust LLC (Atlanta, Georgia, USA)
  • Data residency: EU hosting options offered; US-incorporated parent
Score72/100
TierUS-Dominant
Score range51–80
Legal entityOneTrust LLC (Atlanta, Georgia, USA)
Data residencyEU hosting options offered; US-incorporated parent
Source: EuroComply CLOUD Act Score Methodology (2026-05-11)Reviewed:

OneTrust

US-Dominant
72
out of 100
0 — Fully Sovereign100 — Full Exposure

US-headquartered company. Subject to CLOUD Act via parent company even with EU data residency.

Assessment Inputs

Legal Entity
OneTrust LLC (Atlanta, Georgia, USA)
Data Residency
EU hosting options offered; US-incorporated parent

Reviewed on · Score version: v1.0 · Methodology

Reasoning

OneTrust is US-headquartered and US-incorporated, so it is subject to the US CLOUD Act via its parent entity even where EU data residency is offered. EU buyers should review its DPA, subprocessors, and transfer impact assessment inputs.

Embed This Badge

Add this badge to your trust page, security documentation, or vendor RFP responses. Each embed links back to this verified score page.

CLOUD Act Exposure: 72/100Live badge — updates automatically
HTML
<a href="https://eurocomply.app/cloud-act-scores/onetrust">
  <img src="https://eurocomply.app/api/cloud-act/badge/onetrust.svg" alt="CLOUD Act Exposure: 72/100" width="140" height="28" />
</a>
Markdown
[![CLOUD Act Exposure: 72/100](https://eurocomply.app/api/cloud-act/badge/onetrust.svg)](https://eurocomply.app/cloud-act-scores/onetrust)

Frequently Asked Questions

Is OneTrust CLOUD Act exposed?
Yes. As a US-headquartered provider, OneTrust (72/100, US-Dominant tier) is subject to the US CLOUD Act via its parent company — even where EU data residency is offered.
What is OneTrust's CLOUD Act Exposure Score?
OneTrust scores 72/100 on EuroComply's CLOUD Act Exposure Index — the US-Dominant tier (range 51–80). US-headquartered company. Subject to CLOUD Act via parent company even with EU data residency.
How is the CLOUD Act Exposure Score calculated?
EuroComply assesses each vendor's legal entity, data residency, and cloud infrastructure against a published v1.0 methodology: 0 = fully EU-sovereign, 100 = full US law-enforcement access. See https://eurocomply.app/cloud-act-scores/methodology.

This score is an independent assessment by EuroComply based on publicly available information about OneTrust's legal entity, data residency, and cloud infrastructure. It reflects the CLOUD Act Exposure Score standard v1.0 as published at /cloud-act-scores/methodology. This is informational only and does not constitute legal advice. Consult qualified legal counsel for a legal opinion on CLOUD Act exposure.