Company data is not simply technical information. It contains knowledge, processes, customer information, contracts, internal workflows, project statuses, conversation content, decisions, and often also trade secrets.

Especially when using AI, it is therefore crucial where data is processed, who may technically have access, and which legal jurisdiction a service provider is subject to.

An important topic in this context is the US CLOUD Act.

The exact name is:

Clarifying Lawful Overseas Use of Data Act, or CLOUD Act for short.

The CLOUD Act is a US law from 2018 and, among other things, supplemented the US Stored Communications Act. Under 18 U.S. Code § 2713, certain US providers may be required to disclose data that is in their possession, custody, or control, regardless of whether that data is stored inside or outside the USA.

What does the US CLOUD Act regulate?

The CLOUD Act is intended to make it easier for law enforcement authorities to access electronic information, especially when data is stored with globally operating communications or cloud providers. The US Department of Justice describes the purpose primarily in connection with investigations into serious crimes and electronic evidence.

Important: the CLOUD Act does not mean that US authorities may access all data arbitrarily and without due process. It concerns legal disclosure requests against providers that are subject to US jurisdiction.

For European companies, the point remains relevant: it is not only the storage location that matters, but also which legal system the provider is subject to and whether it can technically control data.

Why is this critical for company data?

For companies, the CLOUD Act is critical above all because data sovereignty is not created solely by a data center in Europe.

If a provider is subject to a non-European legal system and at the same time has access to data or can control data, legal conflicts may arise. This applies in particular to confidential company data, trade secrets, internal communication, sensitive customer data, project data, technical documentation, or AI knowledge bases.

From a data protection perspective, there is also the fact that the GDPR imposes special requirements on transfers of personal data outside the European Economic Area. The European Data Protection Board points out that, in international data transfers, a level of data protection essentially equivalent to European protection must be maintained.

European data protection authorities also see a risk when particularly sensitive data is stored with providers that are not subject exclusively to European law. The French data protection authority CNIL points out that data held by companies subject to non-European law may be exposed to the risk of disclosure to foreign authorities. For particularly sensitive processing, it recommends providers that are subject exclusively to European law and offer an adequate level of protection.

What does this mean for AI systems?

AI systems often process particularly valuable company information. This includes, for example, documents, internal knowledge bases, system configurations, chat histories, meeting content, project folders, process knowledge, customer data, and technical information.

When such data is fed into AI systems, it must be clearly regulated:

• where data is stored and processed,
• which service providers are involved,
• which legal system these service providers are subject to,
• which accesses are technically possible,
• which data is encrypted or stored separately,
• which data can be exported, deleted, or restricted,
• whether and how customer data is used for AI functions.

For Vimmera, the following is therefore clear:

AI must not shift company knowledge uncontrollably into external systems. AI must be designed so that data sovereignty, security, and transparency are preserved.

How has Vimmera structured this?

Vimmera develops and operates AI solutions for companies with a special focus on data protection, data security, and controlled data processing. The technical structure is designed to avoid unnecessarily exposing company data, limit access, and keep data flows traceable.

European-oriented processing

When designing its software, data, and hosting structure, Vimmera relies on processing that is as European-oriented as possible. The goal is to process company data within the EU or the European Economic Area wherever possible and to avoid third-country links or at least secure them in a controlled manner.

Only at the specific request of the customer and with clear labeling are systems used that fall under the US CLOUD Act!

Contractual and technical protective measures

When service providers are involved, this is done on the basis of suitable contractual arrangements, technical protective measures, and documented responsibilities.

These may include in particular:

• data processing agreements,
• confidentiality provisions,
• technical and organizational measures,
• access restrictions,
• encryption,
• deletion and retention concepts,
• logging,
• review of subcontractors,
• rules on storage location and data flows.

Our understanding

The US CLOUD Act shows why technical architecture and legal framework conditions must be considered together.

It is not enough to look at AI only from a functional perspective. It is also crucial whether a system fits a company’s protection requirements.

That is why Vimmera develops AI solutions not according to the principle of “everything in one big cloud,” but with a clear structure:

• processing as European as possible,
• controlled selection of service providers,
• separate data areas,
• clear access rights,
• traceable data flows,
• export and deletion options,
• contractual safeguards,
• protection of company knowledge.