Free whitepaper · data sovereignty for UK businesses
EU-sovereign by design.
Where does the data behind your website actually live, and who can be compelled to hand it over? A plain-English whitepaper on the US CLOUD Act, UK GDPR, and what data sovereignty really means for a UK small business. Read the summary below, then leave your email and the branded PDF is yours.
Double opt-in. Leave your email, download straight away, and confirm your subscription from the email we send. No spam, unsubscribe in one click.
The one question most UK businesses never ask
You know what your website looks like. You know what it says. Almost nobody can answer a simpler question: where does the data behind it actually live, and who can be compelled to hand it over? Every enquiry form, every customer email, every booking, every card payment leaves a trail of personal data on servers owned by someone, in a country with its own laws. For most UK small businesses, that country is the United States, even when the marketing page says EU data centre.
What is inside
What the US CLOUD Act is, in one plain-English sentence, and why it reaches data stored in London
Why an EU region on a US-parent provider is a residency setting, not a sovereignty guarantee
The difference between where your data sits and who can be compelled to produce it
What EU-sovereign by design actually looks like, at the foundation rather than patched on
The exact EEA and UK-hosted stack we build on, and why each choice reads well in a data-protection review
A five-minute check you can run against your own tools today
EU region is not the same as EU-sovereign
Choosing the EU region on a US provider changes where the data sits. It does not change who can be compelled to produce it. A US-parent cloud with a London data centre is still a US-parent cloud, and under the CLOUD Act a US-headquartered company can be compelled to hand over data it controls, wherever the disk physically spins. Genuine sovereignty is about the legal reach over the company that holds your data, decided by corporate headquarters and ownership, not by a dropdown. This is not anti-American. It is an honest statement of which laws apply, so you can make an informed choice instead of an accidental one.
The stack we build on
We build and run web and marketing infrastructure for UK small businesses on EEA and UK-hosted foundations, so the critical client-data path does not sit under US jurisdiction. Every site ships with this posture as standard, not as a premium add-on. Cloudflare and Stripe are retained as considered, documented exceptions rather than accidental defaults.
| Job | Provider | Where |
|---|---|---|
| Hosting | Vercel | London (lhr1) |
| DNS, email routing, CDN | Cloudflare | EU and UK edges |
| Outbound email | Resend | EU |
| Customer records (CRM) | Capsule | UK |
| Payments | Stripe (Payments Europe) | Ireland, EU entity |
| Analytics | Plausible | EU, cookieless, no Google Analytics |
You can see the current, live version of this at our sub-processor disclosure, and read the full argument in the companion article, EU-sovereign by design: the US CLOUD Act and where your data really lives.
From the whitepaper
A five-minute check for your own business
Run this against your current setup. You do not have to fix everything at once, but under UK GDPR you do have to know the answer, because the responsibility is yours.
- List every tool that touches customer data: website host, forms, email, CRM, analytics, payments, backups, chat.
- For each, find the parent company and its country of headquarters, not the data-centre region.
- Mark anything with a US parent that holds identifying personal data.
- Ask each supplier for its sub-processor list and its DPA. A supplier that cannot produce these quickly is telling you something.
- For anything flagged, decide: is there an EEA or UK-hosted alternative that does the same job? Often there is.
If you would like this done for you
Your data, your jurisdiction, handled for you
Reading the paper is one half. The other half is building and running your website and the systems around it on EEA and UK-hosted foundations, week after week, with the sub-processor discipline kept current. That is the UK Web Marketing job: built and run for you, on one bill, with one accountable point of contact and no lock-in, from around £295 a month, quoted to your brief. It starts with a free Site Score.