← Our challenges

Your data out of reach of US law — without rebuilding everything

Reduce your GAFAM exposure — your data belongs to you, not to their lawyers

Your data is not where you think — and it is not safe there

AWS, Azure and Google are US companies subject to the Cloud Act and FISA Section 702. Since 2008 and 2018 respectively, US intelligence agencies and authorities can demand access to your data on their servers — regardless of where it is physically hosted, including a French datacentre.

This is not hypothetical: it is written into US law and regularly enforced. Client files, HR data, strategic information — everything you entrust to these providers leaves your control. Microsoft France’s Director of Public and Legal Affairs acknowledged before the French Senate in June 2025 that Microsoft could not guarantee the protection of European data against transfers to the United States.

Beyond confidentiality, dependency on a handful of dominant players creates concrete operational risks: unilateral price increases you must absorb without alternatives, service outages over which you have no leverage, contractual changes imposed from one day to the next.

Regaining control does not mean migrating everything tomorrow. It starts with knowing where you stand.

What you get

An honest map of your dependencies

  • Precise inventory of every service subject to the Cloud Act, FISA or proprietary lock-in
  • Real risk assessment by domain: cloud, email, office suite, ERP, storage
  • Reversibility analysis: can you change provider without disruption, and at what cost?

Alternatives chosen, not imposed

  • Identification and qualification of open-source or European alternatives suited to your actual context
  • Functional and technical benchmarks — not theoretical lists, tested options
  • Progressive migration strategy without service disruption, domain by domain

Hosting you control

  • Hosting in France or Europe (HDS, SecNumCloud, ISO 27001 as appropriate)
  • On-premise or private cloud for your most sensitive data
  • Multi-cloud strategy to avoid replacing one dependency with another

Real business continuity — not just on paper

  • BCP and DRP designed to work when it happens, not just when reviewed
  • Effective recovery tests — an untested BCP is a false sense of security
  • Critical system redundancy, documented degraded-mode procedures

Regulatory compliance included

  • GDPR: non-EU data transfers identified and governed, sub-processors documented
  • NIS2: resilience requirements for essential and important entities
  • Contractual reversibility and data portability clauses negotiated

Who is this for?

ProfileWhat sovereignty changes in practice
SMB with GDPR exposureClient and HR data out of Cloud Act/FISA reach, documented compliance
Mid-size company with strategic dataIntellectual property and commercial information protected from economic intelligence
Large enterpriseGAFAM exposure reduction, digital ESG indicators for CSRD reporting
Public authorityCitizen data hosted in France, RGAA and REEN compliance, procurement via UGAP
Let's talk about the IT you dream of

Frequently asked questions

What are the US Cloud Act and FISA Section 702, and why do they matter for our data?
The Cloud Act (2018) authorises US authorities to compel operators subject to US law — including AWS, Azure, Google Cloud — to hand over data stored anywhere in the world via a warrant. FISA Section 702 (2008) allows US intelligence agencies to collect your data from these providers, even when hosted in France, without any warrant at all. These solutions can therefore be GDPR-compliant (via the EU-US Privacy Data Framework) while simultaneously making your data legally accessible — without your consent — to US authorities and intelligence services. Ekioo deploys only solutions and hosting providers outside the reach of these laws.
Does migrating to sovereign solutions cause service disruption?
Not if planned properly. Ekioo takes a progressive migration approach, domain by domain, with a coexistence phase to validate each step before switching over. Users are trained in advance. The goal is a transition that is invisible to your operational activity.
Which sovereign alternatives do you recommend for messaging and collaboration?
Depending on your context, Ekioo qualifies solutions such as Nextcloud (storage and collaboration), Matrix/Element (secure messaging), Jitsi (video conferencing), or our own ko- suite (Koopération, Konnaissance, Koprojet). These solutions are open source, hosted in France or Europe, and transfer no data outside the EU.
How does a business continuity plan actually protect our organisation?
A BCP defines how your organisation maintains its critical activities during an incident — cyberattack, outage, or disaster. It covers critical activities and their acceptable recovery time (RTO/RPO), degraded-mode procedures, crisis contacts, and tested backups. Ekioo designs, documents, and regularly tests your BCP to ensure it works when you actually need it.