100% EU. By design, not by toggle.
Your data lives on Dutch and German hardware, owned and operated by a Dutch company. No US parent, no US Cloud Act exposure, no surprises.
- Storage and compute in NL and DE only
- Privately owned Dutch company since 2008
- GDPR by default, eIDAS-ready
- Renewable energy across all data centers
100% EU-owned, EU-hosted and EU-operated, your data is never accessible under the US CLOUD Act.
US-controlled cloud providers cannot guarantee EU data sovereignty
The 2018 US CLOUD Act gives US authorities the right to compel American companies to hand over data, even when that data sits on European servers. Microsoft, Google, Amazon and Dropbox have all confirmed this applies to them. For European public sector, healthcare and legal organisations, that's incompatible with GDPR and sectoral law. vBoxxCloud is owned by a Dutch company, operated by Dutch staff, and runs on EU-owned infrastructure, placing it outside the reach of foreign data-access laws. Sovereignty also means knowing exactly who can see your data. We publish our full subprocessor list, the legal entities involved, and where each one is established. Any change is announced 30 days in advance, so you always have time to review or object.
How sovereignty is guaranteed
vBoxx B.V. is a 100% privately held Dutch company with no foreign shareholders, no US parent, and no investment from non-EU funds.
Servers run in Tier-3 data centres owned by EU companies (TrueServer, Hetzner). No AWS, Azure or Google Cloud anywhere in the stack.
Support, engineering and operations staff are based in the Netherlands. No US-controlled subprocessors handle your data, full list published in our Trust Center.
Where sovereignty is non-negotiable
Dutch municipalities and German state agencies use vBoxxCloud for citizen data that cannot be exposed to non-EU jurisdictions.
Hospitals and clinics rely on NEN 7510 alignment and EU-only processing for patient records.
Law firms and M&A teams keep privileged material outside the reach of foreign data-access laws.
Sovereignty guarantees
- 100% Dutch-owned, no foreign shareholders
- EU-based engineering and support staff
- EU-only subprocessors, full list published
- EU-owned Tier-3 data centres (NL, DE)
- No AWS, Azure or Google Cloud in the stack
- Annual independent ISO 27001 audit
True sovereignty vs 'EU region' marketing
- Outside the scope of US CLOUD Act and FISA 702
- GDPR Schrems II-compliant by default, no SCCs required
- Suitable for Dutch BIO, German BSI C5 and healthcare NEN 7510 workloads
- Operated by US-headquartered Microsoft Corp.
- Subject to CLOUD Act regardless of data location
- Partnership with EU partners but governed by US law
- Subprocessor list includes US entities
Frequently asked questions
What exactly is the US CLOUD Act risk?+
The CLOUD Act allows US authorities to compel any US-based company to disclose customer data, including data stored on EU servers. Because vBoxxCloud has no US presence and no US subprocessors, it falls outside this jurisdiction.
Is vBoxxCloud Schrems II-compliant?+
Yes. Because no personal data is transferred outside the EU, no Standard Contractual Clauses or Transfer Impact Assessments are required. We provide a ready-made GDPR Article 28 DPA on request.
Can I see the list of subprocessors?+
Yes. The full subprocessor list is published in our Trust Center and updated 30 days before any change. All subprocessors are EU-based.
Do you support the Dutch BIO and German BSI C5 frameworks?+
Yes. vBoxxCloud is used by Dutch municipalities under the BIO baseline and undergoes annual BSI C5 attestation for German public sector customers.
Can you sign a DPA with our standard clauses?+
We provide a GDPR Article 28 DPA covering EU-only processing. We can also review reasonable customer-supplied addenda as part of the contracting process.
What happens to my data if I leave?+
You can export all data at any time. After contract termination we delete data within 30 days and provide a written deletion confirmation on request.