Question 1

What is a sovereign cloud?

Accepted Answer

A sovereign cloud meets five criteria at the same time: a parent company in the EU/EEA without a controlling majority from third countries, full data residency including backups and sub-processors in the EU, encryption sovereignty on the customer side via BYOK or HYOK, a contractually committed resistance to third-country authorities, plus code and contract transparency with auditable sub-processor lists.

Question 2

Where exactly does Kopexa host?

Accepted Answer

Kopexa runs as SaaS in the European cloud region of Paris. Backups, logs and metadata stay in the same region. The full sub-processor list is publicly available at /legal/sub-processors. In an on-premise setup you run Kopexa on your own cloud tenant or in your own data center, including BYOK.

Question 3

Is Kopexa subject to the US CLOUD Act?

Accepted Answer

No. The CLOUD Act applies based on where the parent company is located, not on where the data sits. Kopexa GmbH is based in Germany, with no US parent and no US controlling majority. US authorities have no legal route to compel Kopexa to hand over data. By comparison: US providers with a Frankfurt data center are fully subject to the CLOUD Act, regardless of where the data is stored.

Question 4

What is Kopexa's position on Schrems II?

Accepted Answer

Schrems II targets data transfers to the US. Since Kopexa carries out no data processing outside the EU/EEA and has no US group as its parent, the core Schrems II requirements are met. You can sign the data processing agreement (DPA), including standard contractual clauses, directly in self-service at avv.kopexa.com, with no sales contact required.

Question 5

Does Kopexa offer BYOK (Bring Your Own Key)?

Accepted Answer

Yes, exclusively in the on-premise setup. If you run Kopexa on your own cloud tenant or data center, the platform integrates with your KMS (AWS KMS, Azure Key Vault, GCP KMS) or your own HSM. Key rotation and key revocation are entirely in your hands. In the SaaS setup, provider-managed key management with AES-256 is used.

Question 6

Does Kopexa have a BSI C5 attestation?

Accepted Answer

Not currently. The ISO 27001 certification is also in preparation. We already run our ISMS along aligned controls and provide self-assessment documentation on request. Reach out to us directly if certification status is decisive for you.

Question 7

How do I spot sovereign washing with other providers?

Accepted Answer

Ask five questions: 1) Where is the beneficial owner registered? 2) Are all sub-processors publicly listed and located in the EU? 3) Is BYOK offered, and in which tier? 4) What contractual guarantee exists for resisting third-country requests? 5) Are the DPA, SCCs and sub-processor list public, or at least transparent during the sales process? Three or more points covered means sovereignty-capable. See the Sovereign Washing Guide for detailed guidance.

Question 8

What does open source have to do with sovereignty?

Accepted Answer

Open source enables independent verification. Closed black-box providers are risky from a sovereignty perspective, because customers have no proof that the marketing promises are actually kept on a technical level. Kopexa publishes KSPEC, our compliance check standard, under the Elastic License v2 on GitHub. This makes the core compliance check logic publicly auditable and not tied to Kopexa as a vendor.

Hosted in Europe.
Controlled by Europeans.

What makes a cloud sovereign. Truly.

1. Parent company in the EU

2. Data residency in the EU

3. Encryption sovereignty (BYOK)

4. Authority access and legal recourse

5. Code and contract transparency

Three industries where sovereignty is non-negotiable.

Public authorities & public sector

Banks & financial services

Healthcare & pharma

Frequently asked questions about cloud sovereignty

Sovereignty with no compromise on functionality.

30-minute platform walkthrough

Read the Sovereign Washing Guide

ISMS software in action

Hosted in Europe.Controlled by Europeans.

What makes a cloud sovereign. Truly.

1. Parent company in the EU

2. Data residency in the EU

3. Encryption sovereignty (BYOK)

4. Authority access and legal recourse

5. Code and contract transparency

Three industries where sovereignty is non-negotiable.

Public authorities & public sector

Banks & financial services

Healthcare & pharma

Frequently asked questions about cloud sovereignty

01What is a sovereign cloud?

02Where exactly does Kopexa host?

03Is Kopexa subject to the US CLOUD Act?

04What is Kopexa's position on Schrems II?

05Does Kopexa offer BYOK (Bring Your Own Key)?

06Does Kopexa have a BSI C5 attestation?

07How do I spot sovereign washing with other providers?

08What does open source have to do with sovereignty?

Sovereignty with no compromise on functionality.

30-minute platform walkthrough

Read the Sovereign Washing Guide

ISMS software in action

Hosted in Europe.
Controlled by Europeans.