top of page
Search

Sovereignty Isn’t Where Your Data Lives - It’s Who Holds the Strings

  • Writer: David Long
    David Long
  • Jul 29
  • 4 min read

Updated: Aug 8

Australian man in data centre with puppet strings, illustrating CLOUD Act control over data sovereignty.
Data location ≠ data control. The CLOUD Act doesn’t care where it lives - only who owns the strings.

Sovereignty Isn’t Where Your Data Lives - It’s Who Holds the Strings

Why Microsoft’s CLOUD Act Admission Is a Wake-Up Call for Australia - and What Real Backup Independence Looks Like

When Microsoft’s legal director told a French Senate hearing in July 2025:

“No, I cannot guarantee that data stored in EU data centers will not be transmitted to U.S. authorities,”

…he didn’t just confirm a European risk. He revealed the strings - and who’s holding them.

Because if France, a country with GDPR protections and strict data residency mandates, can’t get a guarantee…What hope do we have here in Australia or New Zealand?

Hand reaching into cloud graphic showing Australia, EU, and France, symbolising CLOUD Act reach over data stored with U.S. providers regardless of location.
Your flag doesn’t matter. Theirs does. The CLOUD Act lets U.S. authorities reach into foreign clouds - if the provider’s American.

The CLOUD Act Doesn’t Respect Borders

The U.S. CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows U.S.-headquartered tech companies - like Microsoft, Google, and Amazon - to be compelled to hand over customer data regardless of where that data is physically stored.

Even if:

  • The data resides in a Sydney or Singapore data centre

  • It belongs to an Australian government agency or regulated financial institution

  • It’s governed by local contracts or sovereign retention agreements

If the company is U.S.-based, a valid order means the data must be surrendered. No court in Australia. No customer notification. No consent from local authorities.


The law follows the vendor, not the data.


This isn’t hypothetical. It’s a matter of compliance, jurisdiction, and control.


Why Australia Is More Exposed Than the EU

Unlike the EU, Australia has no legal “blocking statutes” that limit how foreign governments access locally stored data. We have no GDPR-style data adequacy framework. No legislative resistance to U.S. discovery orders.

We’ve been relying on contracts, cloud marketing, and blind trust. Microsoft’s own admission proves - that’s no longer enough.

This raises a brutal truth:

Even with your SaaS data “hosted in Australia,” You may still be subject to foreign access and oversight.


Split-screen graphic comparing SaaS vendor-controlled backups versus Keepit-controlled backups. Left side shows a hand holding a key to a cloud labeled “Controlled by SaaS Vendor” with Microsoft and Google logos. Right side shows a hand holding a key to a cloud labeled “Controlled by You”
You can't own your data if you don’t control your backup. Keepit gives you the keys -and keeps vendors out.

The Sovereignty Mirage

Many organisations assume that selecting an Australian region or ticking the “local storage” box in a cloud console guarantees compliance.

But let’s be clear: Data stored on Microsoft 365, AWS, or another public cloud is still governed by that vendor’s identity systems, policy controls, and legal obligations -including foreign laws like the U.S. CLOUD Act.

You don’t control the infrastructure. You don’t control access. You don’t even control your backups.

And when something breaks - whether it’s ransomware, a misconfiguration, or foreign legal action - your recovery path could disappear with it.

That’s why true resilience demands more than just “local storage.” It demands independence from the platform you’re protecting.


Side-by-side comparison of cloud backup approaches. Left shows a dark Microsoft 365 cloud labeled “Identity,” “Backup,” “Policies,” and “Control,” representing a platform-tied, single point of failure. Right shows a glowing blue Keepit cloud labeled “Immutable, Sovereign, Independent,” highlighting platform independence, air-gapping, and user-controlled keys.
Resilience starts with independence. Don’t back up inside the blast zone.

The Case for Backup Independence

In this new reality, resilience isn’t just about having a copy of your data. It’s about where that copy lives. Who controls it. And who can’t touch it.

That’s why FullBackup has partnered with KeepIt - the only independent SaaS backup provider built from the ground up to deliver:


  • ✅ Immutable, air-gapped backups

  • Sovereign hosting in Australia

  • No dependency on U.S. cloud platforms

  • Support for Microsoft 365, Entra ID, Google, Salesforce, Jira, DevOps, and more


KeepIt stores your data outside the Microsoft ecosystem. It has no shared policy engine, no common identity framework, and no exposure to the same legal orders.

When Microsoft says they can’t guarantee sovereignty, we can confidently say - we’re not part of their risk.


The law follows the vendor not the data center - cloud act
Your data might be stored in Australia - but if the vendor answers to U.S. law, so does your data.

Sovereignty, Compliance & Control: CPS 230 and Beyond

With the introduction of CPS 230, Australia’s financial institutions face growing pressure to prove operational resilience and third-party independence.

And yet - too many still rely on SaaS vendors for backup. The same vendors that:

  • Own the infrastructure

  • Write the policies

  • Can be legally compelled to comply with foreign subpoenas

That’s not resilience. That’s risk by design.

True operational independence requires:

  • Separate control planes

  • Legally isolated storage

  • Guaranteed restore paths outside the production platform

That’s what KeepIt delivers. And that’s what FullBackup enables - as a valued Keepit resale partner, we can get you protected in minutes, not days or months. Immutable. Independent. Fully compliant.


The Leadership Lesson

Microsoft’s admission in France wasn’t a bug in the system. It was a feature of how global cloud platforms operate.

For too long, backup has been seen as a “nice to have” - until it’s too late.

Now, we know:

  • You can't outsource responsibility just because you outsourced infrastructure

  • You can’t afford to confuse uptime with recovery

  • And you definitely can’t equate data hosting with sovereignty


Digital map of Australia with a central glowing Keepit cloud icon surrounded by compliance features: Essential Eight aligned, CPS 230 compliant, sovereign, air-gapped, hosted in Australia, recovery-first, and immutable. The image asks, “Is your SaaS backup ready for Australia’s compliance demands?” and emphasizes resilience, sovereignty, and control.
SaaS backup that’s sovereign, compliant, and ready for CPS 230. Keepit. Delivered by FullBackup.

Final Word

Your SaaS provider’s job is to keep the lights on.

Your job is to ensure your data survives when they don’t.

So if you’re storing all your backups inside the same legal and technical framework as your production environment - ask yourself:


  • What happens when that system fails?

  • Who really owns your recovery?

  • And who has the final say over your data?


If the answer isn’t you - let’s fix that.


Talk to FullBackup. We’ll show you what real backup independence looks like - immutable, sovereign, and under your control.

Book a demo, start a pilot, or just talk to us: https://lnkd.in/gx5cK_2i

1 Comment

Rated 0 out of 5 stars.
No ratings yet
Add a rating
Guest
Aug 01
Rated 5 out of 5 stars.

Very insighful

Like
bottom of page