SOV-EXTRA active definition
← back to the SOV system

Non-EU sovereignty

Data on platforms outside the EU, governed by Standard Contractual Clauses.

WW

// What it means

SOV-EXTRA covers the cases in which part of the system, or the entire workload, resides on platforms outside the European Union. Typically these are managed services of US hyperscalers (AWS us-east, GCP us-central, Azure US) or proprietary AI models (OpenAI, Anthropic, Google) whose endpoint resides outside the EU.

When we resort to SOV-EXTRA, the international transfer of personal data is governed by Standard Contractual Clauses approved by the EU Commission, supplemented by a Transfer Impact Assessment that evaluates the specific risks of the destination country. For transfers to the US, post-Schrems II the SCC alone are often not sufficient because of the CLOUD Act and FISA 702: for this reason we add concrete technical supplementary measures — typically at-rest and in-transit encryption with keys managed by the client (BYOK/HYOK), tokenization of sensitive fields, pseudonymization and minimization of the transferred payload.

The client receives explicit documentation on what is transferred, where, why, and which supplementary technical measures have been applied. It is a conscious choice: we use it when a feature is not replicable in the EU (e.g. frontier AI models) or when the client accepts the trade-off in exchange for specific technical capabilities. It is never the default choice.

// Where the data resides

Where the data physically resides

Compute
US/Asia regions of AWS, GCP, Azure, Cloudflare
Proprietary AI
OpenAI (US), Anthropic (US), Google (US/global)
Backup
Cross-region within the same provider
CDN
Global edge network (Cloudflare, Fastly)
Governance
SCC + TIA + DPA + supplementary measures (BYOK, tokenization, pseudonymization)

// When to choose it / when not to

Choose it when

  • When a feature is not available in the EU (e.g. GPT-4 Vision, Claude Opus, Gemini Pro)
  • Global workloads where latency outside the EU is a requirement (worldwide e-commerce, gaming)
  • Non-personal and non-sensitive data where the SCC regime is sufficient
  • Rapid prototyping before a possible SOV-EU/IT migration in production

Avoid it when

  • Sensitive personal data (health, biometrics, criminal records) without adequate jurisdiction
  • Public administration and public in-house entities, except for justified and authorized exceptions
  • Sectors bound by law to EU jurisdiction (e.g. DORA: data localization for critical functions and strict control of ICT subcontracting to third countries)
  • When the client explicitly requires EU or IT sovereignty

// Compliance and standards

Regulatory references and standards applicable to the SOV-EXTRA sovereignty level.

SCC
Standard Contractual Clauses (EU Decision 2021/914) · rarely sufficient on their own for the US, must be supplemented
TIA
Transfer Impact Assessment case by case, often concluding with residual risks
Supplementary measures
Additional technical measures required post-Schrems II: BYOK/HYOK, tokenization, pseudonymization
GDPR Art. 46
Transfers with adequate safeguards
DPF
EU-US Data Privacy Framework · valid only for certified US companies · subject to possible future CJEU invalidations
CLOUD Act · FISA 702
Mandatory disclosure of the risks of access by US authorities

// Specific FAQ

Is it legal to transfer EU personal data outside the EU?

+
Yes, if governed by adequate mechanisms: SCC, BCR, adequacy decisions (e.g. EU-US DPF for certified US providers). For the US, post-Schrems II, the SCC must typically be supplemented by technical supplementary measures (encryption with keys managed by the client, tokenization). We always provide complete documentation with the TIA and the measures applied.

What happens if the EU-US adequacy decision is invalidated again?

+
It has already happened (Schrems II, 2020). For this reason, for every SOV-EXTRA project we maintain a pre-approved SOV-EU migration plan, activatable in case of a regulatory change.

Can I use ChatGPT/Claude in SOV-IT or SOV-EU?

+
Not with their public endpoints, which are SOV-EXTRA by definition. To stay in SOV-IT/EU we use equivalent open-source models (Qwen, Mistral Large, Llama 3.1) hosted in the EU or IT.

// Other sovereignty levels

SOV-IT IT
Italian sovereignty
Data, infrastructure and operations entirely within Italian territory.
SOV-EU EU
European sovereignty
Data and infrastructure within the European Union, guaranteed GDPR compliance.
SOV-CHAIN
Public blockchain
On-chain data on public decentralized networks, immutable and global.
CONFIGURABILE
Chosen by the client
The sovereignty level is chosen during contracting among SOV-IT, SOV-EU or SOV-EXTRA.

Want to understand which sovereignty level is right for your project? Let's talk.

$ Let's talk